Malware Analysis Report

2024-10-23 18:50

Sample ID 240626-2anlfszfkn
Target 7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463
SHA256 7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463
Tags
pyinstaller cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463

Threat Level: Known bad

The file 7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463 was found to be: Known bad.

Malicious Activity Summary

pyinstaller cobaltstrike backdoor trojan

Cobaltstrike

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 22:22

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 22:22

Reported

2024-06-26 22:25

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

Network

Country Destination Domain Proto
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29442\exec.exe.manifest

MD5 d555b8701399d1321224301eb1406b28
SHA1 23bb3e011e5292be289b5c34c2eaa212369d0118
SHA256 5ba176b93e8e4a59f8867e14776d635c7bf924f262f7187febdc53334a5e6694
SHA512 325ffc64a500c5470656a9f745c9a3d712c3ad7f92b1f153f26e67b5c05f3da4bf57b1ce618ffbdf91de69258ddf2b4645d09293f6232ca53926ab7bd8491234

C:\Users\Admin\AppData\Local\Temp\_MEI29442\python27.dll

MD5 4815ee7d57479791d7bf6bbdcff1649b
SHA1 3645bc481e0c8c76a7d74342d196e9f55c762637
SHA256 60e9cfbb62bbae5164ddb73082370900a435ef591222caaa0b352b8eaa26600e
SHA512 7d131238d176854d61fa13750d0a47aa03d84b3a1f51cfdd1f0e5033efbec7984fa88decf8b7a2ffb9c96eb545fc492bfd57ffaaa97e9e2b6b637834fbceae6f

C:\Users\Admin\AppData\Local\Temp\_MEI29442\MSVCR90.dll

MD5 552cf56353af11ce8e0d10ee12fdcd85
SHA1 6ab062b709f851a9576685fe0410ff9f1a4af670
SHA256 e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012
SHA512 122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd

MD5 3935ef74c5f36eda2b9f156d467bc1f6
SHA1 2a40c66a8d364640f3f1fb97641c516661912191
SHA256 ae04c9ca90c317a2ab9a4a95e795ef6677adeb7151c58bea3e31371dc9607518
SHA512 eefe08daa387fd95dea34c00c551c4fb2bddbca87ee38ef7172b3442814b17343bf86d392455e383c7e2ca2dbedb1df635cefd89c59070d1052c1d5524669668

memory/284-19-0x0000000001ED0000-0x0000000001F73000-memory.dmp

memory/284-20-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2944-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/284-22-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 22:22

Reported

2024-06-26 22:25

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp
CN 101.35.173.226:10890 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI33842\exec.exe.manifest

MD5 d555b8701399d1321224301eb1406b28
SHA1 23bb3e011e5292be289b5c34c2eaa212369d0118
SHA256 5ba176b93e8e4a59f8867e14776d635c7bf924f262f7187febdc53334a5e6694
SHA512 325ffc64a500c5470656a9f745c9a3d712c3ad7f92b1f153f26e67b5c05f3da4bf57b1ce618ffbdf91de69258ddf2b4645d09293f6232ca53926ab7bd8491234

C:\Users\Admin\AppData\Local\Temp\_MEI33842\python27.dll

MD5 4815ee7d57479791d7bf6bbdcff1649b
SHA1 3645bc481e0c8c76a7d74342d196e9f55c762637
SHA256 60e9cfbb62bbae5164ddb73082370900a435ef591222caaa0b352b8eaa26600e
SHA512 7d131238d176854d61fa13750d0a47aa03d84b3a1f51cfdd1f0e5033efbec7984fa88decf8b7a2ffb9c96eb545fc492bfd57ffaaa97e9e2b6b637834fbceae6f

C:\Users\Admin\AppData\Local\Temp\_MEI33~1\_ctypes.pyd

MD5 3935ef74c5f36eda2b9f156d467bc1f6
SHA1 2a40c66a8d364640f3f1fb97641c516661912191
SHA256 ae04c9ca90c317a2ab9a4a95e795ef6677adeb7151c58bea3e31371dc9607518
SHA512 eefe08daa387fd95dea34c00c551c4fb2bddbca87ee38ef7172b3442814b17343bf86d392455e383c7e2ca2dbedb1df635cefd89c59070d1052c1d5524669668

memory/4348-16-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/3384-17-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-18-0x0000000000400000-0x0000000000433000-memory.dmp