Malware Analysis Report

2024-08-06 10:54

Sample ID 240628-nctzcsyhjn
Target winhlp64.exe
SHA256 551b8bbdea45530249bcec7b418c80bbeba99eb1c7712523feec9d612555160d
Tags
cobaltstrike 426352781 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

551b8bbdea45530249bcec7b418c80bbeba99eb1c7712523feec9d612555160d

Threat Level: Known bad

The file winhlp64.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 426352781 backdoor trojan

Cobaltstrike

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 11:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 11:15

Reported

2024-06-28 11:18

Platform

win7-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winhlp64.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\winhlp64.exe

"C:\Users\Admin\AppData\Local\Temp\winhlp64.exe"

Network

Country Destination Domain Proto
PK 210.2.169.230:443 210.2.169.230 tcp
PK 210.2.169.230:443 210.2.169.230 tcp
PK 210.2.169.230:443 210.2.169.230 tcp
PK 210.2.169.230:443 210.2.169.230 tcp
PK 210.2.169.230:443 tcp

Files

memory/2180-0-0x00000000002C0000-0x0000000000301000-memory.dmp

memory/2180-1-0x0000000000940000-0x0000000000DB2000-memory.dmp

memory/2180-2-0x0000000000940000-0x0000000000DB2000-memory.dmp

memory/2180-3-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 11:15

Reported

2024-06-28 11:18

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winhlp64.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\winhlp64.exe

"C:\Users\Admin\AppData\Local\Temp\winhlp64.exe"

Network

Country Destination Domain Proto
PK 210.2.169.230:443 tcp
NL 52.142.223.178:80 tcp
PK 210.2.169.230:443 tcp
PK 210.2.169.230:443 tcp

Files

memory/1604-0-0x0000000000750000-0x0000000000791000-memory.dmp

memory/1604-1-0x0000000000CE0000-0x0000000001152000-memory.dmp

memory/1604-2-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1604-4-0x0000000000CE0000-0x0000000001152000-memory.dmp