General
-
Target
-Anarchy-.miobject
-
Size
43KB
-
Sample
240614-pa3ddszeqf
-
MD5
45a0348dfe3c7aaa23e2d393592f2da0
-
SHA1
e2217f50ac53d6e557ceb366415019c791efdd53
-
SHA256
3833a5e7dbb4868fa50cf6f96c6ea8bd917192eea74180be4ce46b9f017f0610
-
SHA512
e74a14fac338fcbffa270e003c4a13ce312fc2238886814110a21e01b658d8e4c9bd9d6952e2ae13ee243f0fdf767d2070f0b0db8521003794bdc789288ba5e8
-
SSDEEP
768:yzvdBjwhijfdBTwZptdB/w1i1AQAfAAAJAvgEclmmN:y/rb6XAQAfAAAJAvgEclmmN
Malware Config
Targets
-
-
Target
-Anarchy-.miobject
-
Size
43KB
-
MD5
45a0348dfe3c7aaa23e2d393592f2da0
-
SHA1
e2217f50ac53d6e557ceb366415019c791efdd53
-
SHA256
3833a5e7dbb4868fa50cf6f96c6ea8bd917192eea74180be4ce46b9f017f0610
-
SHA512
e74a14fac338fcbffa270e003c4a13ce312fc2238886814110a21e01b658d8e4c9bd9d6952e2ae13ee243f0fdf767d2070f0b0db8521003794bdc789288ba5e8
-
SSDEEP
768:yzvdBjwhijfdBTwZptdB/w1i1AQAfAAAJAvgEclmmN:y/rb6XAQAfAAAJAvgEclmmN
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Contacts a large (827) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies powershell logging option
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1