General
-
Target
Shadow Flandre.7z
-
Size
5.0MB
-
Sample
240523-wxwmpabe9x
-
MD5
977837fbf0641bd754348edcb9bc6b63
-
SHA1
84617247c1f7406122b3e6123b396a439d0b8b83
-
SHA256
40a1da1b2e2c7f17ff7f1ef59de5884627d5fbef4076baac5b920c166c90bf65
-
SHA512
0dfab263c6cd1fd26801cd28d8e3665fa2a8bb5171683e1d55cc1b3f846b3b4b230dfa78910df0519437f51dc8fb7debdbe51342322c77dd6713fe9eab4f8554
-
SSDEEP
98304:/NfeZb0DDDMVIzsMx4RCi6Cpuye+D5P8BFmE8sy2LYjAul3lcjrT/5eXeHlh:/NM0DD4VIzsMGRCi6CLND5EBAzzhAXjz
Malware Config
Targets
-
-
Target
Shadow_Flandre/Flandre.cmd
-
Size
32KB
-
MD5
52ac669ca604da051cb1b94e270f6999
-
SHA1
1d56766b3a0d5fcaea6a3f2214ecfa6383b79ee1
-
SHA256
2dfdf4fc35a0daad8c68b61fa631e7b41c3b97c9c628efd26bec6d8485e684c2
-
SHA512
8601fac2a3a018eca97b56658f83e12c6527a9e2792d5a4ea3287e844144432c38a0fbf3043c080b364988df42e80aab9b55a6830c7e01ec11e5df1231c37d09
-
SSDEEP
384:fCcY5xWtSt92yQy9f2wawkIztUjQ+9FltQogTeND2zxG7murZZo3E+SSRzrCPKZ+:fCcY5xWtSt92yQy9eHwkMuF12t9CD
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies powershell logging option
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1