Overview

overview

10

Static

static

3

2024-05-22...uk.exe

windows7-x64

10

2024-05-22...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-05-22_f4557af937f454b597e693045e8525cf_ryuk

  • Size

    6.2MB

  • Sample

    240522-c6v8qshg47

  • MD5

    f4557af937f454b597e693045e8525cf

  • SHA1

    b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b

  • SHA256

    64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9

  • SHA512

    9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b

  • SSDEEP

    196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh

Score
10/10
cobaltstrike305419896backdoorpersistencepyinstallertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://139.155.91.159:21001/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    139.155.91.159,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPTc3OWI2NGUxYTdlZDczN2EAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    10000

  • port_number

    21001

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC0aD/3GAGXABkhh4WDvMbkoKUca7rtzyTXMhBNZVxo/8zOJ7XId+DTCh8r7lvAbfHfjKuMNk0dPFM4phzgmzoA012/2Y/Vdn+raT3fDQapCICpDCYZWEucKwjLOfD43A556FEv3a5kVEiE4tc+vsSaPJw0cXnhtuMnmxERXpVRwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    305419896

Targets

    • Target

      2024-05-22_f4557af937f454b597e693045e8525cf_ryuk

    • Size

      6.2MB

    • MD5

      f4557af937f454b597e693045e8525cf

    • SHA1

      b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b

    • SHA256

      64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9

    • SHA512

      9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b

    • SSDEEP

      196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh

    Score
    10/10
    cobaltstrike305419896backdoorpersistencetrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detects Reflective DLL injection artifacts

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks