Overview

overview

10

Static

static

3

2024-06-08...uk.exe

windows7-x64

10

2024-06-08...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-08_4668b621571f2cb47ef80c0b7468fc77_cobalt-strike_ryuk.exe

  • Size

    674KB

  • MD5

    4668b621571f2cb47ef80c0b7468fc77

  • SHA1

    cf2ec844c673ce96a2f71e5edb866dd7a3996272

  • SHA256

    89d736c530874ff26dfc820e54aa948aa48d11f94ef86928e39d47e5ff75a827

  • SHA512

    61f17ecb4527307794f32129f33e49be65dca43f7c6f42b5dae887a99765a19b8aa138b1df4ff97622b6c5be52dace39c2032fa5cad037dff2f9289d46c20eb1

  • SSDEEP

    12288:azHzoZdCL6aAIse0XZ6TuqlcVGd3ZzZ8sWJDVL4jrDnuDE3aqP5WY9d:anoZdCEIse0XgTuKccd3ZzZ8sGDVYvSy

Score
10/10
cobaltstrike426352781backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://www.yokokawa.com.cn:443/info

http://www.douxie.cn:443/info

http://clubapi.jiaxianggame.com:443/info
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.yokokawa.com.cn,/info,www.douxie.cn,/info,clubapi.jiaxianggame.com,/info

  • http_header1

    AAAAEAAAABZIb3N0OiBkZXB5LnAzcmg0cHMudG9wAAAACgAAABZDb25uZWN0aW9uOiBLZWVsLUFsaXZlAAAABwAAAAAAAAALAAAAAgAAABQmdz1YJno9QSZjPVombT1OJm49QwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABJBY2NlcHQ6IHRleHQvcGxhaW4AAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogY24tY24AAAAKAAAAG0FjY2VwdC1FbmNvZGluZzogdGV4dC9wbGFpbgAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAQAAAAFkhvc3Q6IGRlcHkucDNyaDRwcy50b3AAAAAKAAAAFkNvbm5lY3Rpb246IEtlZWwtQWxpdmUAAAAHAAAAAAAAAAgAAAAFAAAAAmlkAAAABwAAAAEAAAADAAAAAgAAABQmdz1YJno9QSZjPVombT1OJm49QwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • polling_time

    3000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\ucsvc.exe

  • sc_process64

    %windir%\sysnative\ucsvc.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqW6Nfra+6XGGPYD0AP8xr2NyBaeVJo8YLe1WLcpayWAqfMVV+QRtrgEdXApPMEY1ilSApVV5QSZGEE7Kg4dm2wjo+cUxs/i2n3uv1KcX4IPCES0fiNGOiCmoSgge7Bwzt+H1X4xykMlbKGaVE0LIkPUf8Ii59U12/V4SozEukGQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /airsfda/sk

  • user_agent

    Mozilla / 5.0(Windows NT 10.0;Win64;x64) AppleWebKit / 537.36(KHTML, likeGecko) Chrome / 97.0.4692.71Safari / 537.36Edg / 97.0.1072.55

  • watermark

    426352781

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_4668b621571f2cb47ef80c0b7468fc77_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_4668b621571f2cb47ef80c0b7468fc77_cobalt-strike_ryuk.exe"
    1⤵
      PID:2304

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2304-1-0x0000000001D50000-0x0000000001E50000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2304-2-0x0000000000310000-0x000000000035E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2304-3-0x0000000001D50000-0x0000000001E50000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2304-4-0x0000000000310000-0x000000000035E000-memory.dmp
      Filesize

      312KB

      Download