Overview

overview

10

Static

static

1

01-05-2024.exe

windows7-x64

10

01-05-2024.exe

windows10-2004-x64

10

ZipDLL.dll

windows7-x64

6

ZipDLL.dll

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    01-05-2024.zip

  • Size

    831KB

  • Sample

    240717-hmfltszcrr

  • MD5

    b8662d245711acb72ae8dd1d3e7f35fa

  • SHA1

    5b094fae138f4354c8ea97a5249eb444cdf143fa

  • SHA256

    fcefba64cfd18a3899cb5c87328eabad18a0efebfb5d8f8e774c570cad332e64

  • SHA512

    c63469572bf0376b2b17678b3491f0ae0f64b685f93ecf0dcd223cee19f4651728d8c6a43c998e8355ce19b4b34ff45d10b5a3422dbc7277d0419a19d9c8888f

  • SSDEEP

    24576:2zlb4iGOlyJYkqClYZ/nHIqsKblZaonq71cDyrU+PwF2q0GK:2z6TwN2l6noqsml9a1c2rUkTGK

Score
10/10
cobaltstrike0100000backdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://45.154.24.14:443/maps/overlaybfpr

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    45.154.24.14,/maps/overlaybfpr

  • http_header1

    AAAAEAAAABJIb3N0OiB3d3cuYmluZy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAIAAAAEX1NTPQAAAAIAAAAQU1JDSEQ9QUY9Tk9GT1JNOwAAAAYAAAAGQ29va2llAAAACQAAABhxPXNhbiUyMGRpZWdvJTIwY2ElMjB6b28AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABJIb3N0OiB3d3cuYmluZy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAACgAAABZDb250ZW50LVR5cGU6IHRleHQveG1sAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAABAAAADQAAAAIAAAAIU1JDSFVJRD0AAAACAAAAEFNSQ0hEPUFGPU5PRk9STTsAAAAGAAAABkNvb2tpZQAAAAcAAAAAAAAADQAAAAUAAAADbGlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9728

  • polling_time

    62000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtt5H+QbfH4ILEXg12PomEjuPjLgia+NacQFGHt2Lq2nkS041VyMAViMZ0P8D9tt6nYfHOEzmpgMuf4F4PxJoivDdpjraN5Vkf3r8w4n6Q+oDp/AuCfn+4W572qUq/ibD3HruUMK/FZ0aYiX/2WqdnxEcq9IGIHYXKKFop7hfstwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.646887168e+09

  • unknown2

    AAAABAAAAAEAAAiUAAAAAgAAAe0AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /fd/ls/lsp.aspx

  • user_agent

    Mozilla/5.0 (compatible; mobile! telephone; https://mobile.bing.com/search)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      01-05-2024.PIF

    • Size

      1.5MB

    • MD5

      897f187c454b78b0490a9cf4b2dc5593

    • SHA1

      8a79dcdb2749f4c4262e977947a39d0413d0d851

    • SHA256

      5a61ff42ca850ba08f835e3a960d87450c2d6557f5fa65dd006c00eda1ab45a3

    • SHA512

      ab5dcd68a67344fe90e8eb34f9475ea04e06e754cf78ab1e0259af4a01d22f75d914e5af75896c08b8b0c74f4130fbc9e37e69da733d47abf40eca134989e425

    • SSDEEP

      24576:D0HKNEa/VA98e0dp6ANYMYkCmR3ansrEHz4WyVTCAwxzIsiwA611Qgh2nt:gUzPewQxzvm

    Score
    10/10
    cobaltstrike0100000backdoorpersistencetrojan
    behavioral1behavioral2

    • Target

      ZipDLL.dll

    • Size

      104KB

    • MD5

      7858336e1ba602c819555e8f9fa54ccd

    • SHA1

      2926b80e715d46140cb5cc32af3bce84ecbbd148

    • SHA256

      6811e4b244a0f5c9fac6f8c135fcfff48940e89a33a5b21a552601c2bceb4614

    • SHA512

      ea541082687c075677e7a1d803a40f7e6ff761f8ffd1f69b687d96534b9960fc942f052ad8cd7e612c627e3718b8f4073f8d0cb92dea6be57869eff5d7a11cff

    • SSDEEP

      1536:iVCLvdeydgLC+mB6+K1xhzp0he9+w7GYB4pk1VDCwwvJzlaKkFkKkK+QPnyxRyI:gglgu+sg1x9p79V2MRwvJZaKWpprI

    Score
    6/10
    persistence
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks