Overview

overview

10

Static

static

3

d0386afe02...f3.dll

windows7-x64

10

d0386afe02...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 16:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d0386afe0232743e96c00b990dbf8377844f5cd2170f07872113d9bef0a1acf3.dll

  • Size

    772KB

  • MD5

    f075af7448af42a75588bd59e1c17ae3

  • SHA1

    ae4ef33d0ae35725ffb9339f91692954c1beed94

  • SHA256

    d0386afe0232743e96c00b990dbf8377844f5cd2170f07872113d9bef0a1acf3

  • SHA512

    4da7aa7b63c606cf7d729517202b5c484b16786351a7d770a09a9ad33415df0dbfcca2bc17a1614b90e9afccd884007d957b287ea78f4a2414744afba125a8e0

  • SSDEEP

    6144:sikOgxG+MiNiLox8Vrg33SXbJCzBeqqjqYd3CxTvovE444lT3:wG+/Ni+8qSLM4qqjqo140

Score
10/10
cobaltstrike668694132backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

668694132

C2

http://sinsinnister.com:8443/ms

http://mail.sinsinnister.com:8443/ms

http://store.sinsinnister.com:8443/styles
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    sinsinnister.com,/ms,mail.sinsinnister.com,/ms,store.sinsinnister.com,/styles

  • http_header1

    AAAAEAAAABZIb3N0OiBzaW5zaW5uaXN0ZXIuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAATQWNjZXB0LUVuY29kaW5nOiBicgAAAAcAAAAAAAAACAAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAADWxpc3RJbmZvPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABZIb3N0OiBzaW5zaW5uaXN0ZXIuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAVmdW5jPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    20630

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\regsvr32.exe

  • sc_process64

    %windir%\sysnative\regsvr32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBJ2vb82ZHOUrq2izLaqMwumRwvPeYq6p+ZXM+Iy+iBWxWdd4Oc2A9TYaSf440cuBiHmS5x/Nc3X4SeLHzvufmHpi2RpRAfjEJEuSjaXU8GS3IFXtrZydnzP5RVcUc4rHSxuAI/D/qsE/ZgHZVrha9CVx6WCbbXhfRbiRFbMf1tQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /bm

  • user_agent

    Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202

  • watermark

    668694132

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d0386afe0232743e96c00b990dbf8377844f5cd2170f07872113d9bef0a1acf3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\system32\cmd.exe
      cmd.exe /c echo mFYSFCZWAJQDJtDFZOUbL>"C:\Users\Admin\AppData\Local\Temp\DEM36BF.tmp"&exit
      2⤵
        PID:2880

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DEM36BF.tmp
            Filesize

            23B

            MD5

            61adc41ecb61a512b770747669a50c99

            SHA1

            bbb112d7eddfb80dc9f5c2817c8f0a5b133c9d74

            SHA256

            b57e3f49929cced5d85152ab587548a6cf8be362b9c639f6760e8beba0163d0c

            SHA512

            5d3242c4a39ab746d380c7572d54ab2e0e32e69ef9b16d0bb065ec057ed7ce08323f40a41774dd5fda6a139572fd87891a31502ace6a1624858a715ea9754a17

            Download Submit

          • memory/764-2-0x00000000028D0000-0x0000000002914000-memory.dmp

            Filesize

            272KB

            Download

          • memory/764-3-0x0000000002750000-0x00000000027CF000-memory.dmp

            Filesize

            508KB

            Download

          • memory/764-4-0x000000006BAC0000-0x000000006BB8A000-memory.dmp

            Filesize

            808KB

            Download

          • memory/764-6-0x0000000002910000-0x0000000002912000-memory.dmp

            Filesize

            8KB

            Download