Malware Analysis Report

2025-01-22 13:06

Sample ID 240724-mmpa7avcqe
Target hello.exe
SHA256 0d2da5e6339c3ce5916b8d0aba36c9dd38b606e5e86cf201241b8375d93ce06e
Tags
cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d2da5e6339c3ce5916b8d0aba36c9dd38b606e5e86cf201241b8375d93ce06e

Threat Level: Known bad

The file hello.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan

Cobaltstrike

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-24 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 10:35

Reported

2024-07-24 10:37

Platform

win7-20240704-en

Max time kernel

143s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hello.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\hello.exe

"C:\Users\Admin\AppData\Local\Temp\hello.exe"

Network

Country Destination Domain Proto
VN 103.146.22.197:80 103.146.22.197 tcp
VN 103.146.22.197:80 103.146.22.197 tcp
VN 103.146.22.197:80 103.146.22.197 tcp
VN 103.146.22.197:80 103.146.22.197 tcp

Files

memory/2120-0-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-1-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/2120-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2120-3-0x00000000770D0000-0x00000000770E0000-memory.dmp

memory/2120-4-0x0000000007790000-0x0000000007B90000-memory.dmp

memory/2120-5-0x0000000002FF0000-0x0000000003048000-memory.dmp

memory/2120-6-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-8-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/2120-7-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-10-0x0000000002FF0000-0x0000000003048000-memory.dmp

memory/2120-9-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-11-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-12-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-14-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-15-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-17-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-18-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-19-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-20-0x0000000000400000-0x000000000140B000-memory.dmp

memory/2120-21-0x0000000000400000-0x000000000140B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 10:35

Reported

2024-07-24 10:37

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hello.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\hello.exe

"C:\Users\Admin\AppData\Local\Temp\hello.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
VN 103.146.22.197:80 103.146.22.197 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 197.22.146.103.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
VN 103.146.22.197:80 103.146.22.197 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
VN 103.146.22.197:80 103.146.22.197 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
VN 103.146.22.197:80 103.146.22.197 tcp

Files

memory/4508-0-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-1-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

memory/4508-2-0x0000000003720000-0x0000000003721000-memory.dmp

memory/4508-3-0x00007FFC0E710000-0x00007FFC0E720000-memory.dmp

memory/4508-4-0x0000000006B80000-0x0000000006F80000-memory.dmp

memory/4508-5-0x0000000006F80000-0x0000000006FD8000-memory.dmp

memory/4508-6-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-7-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-9-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

memory/4508-8-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-10-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-11-0x0000000006F80000-0x0000000006FD8000-memory.dmp

memory/4508-12-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-13-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-14-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-15-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-16-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-17-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-18-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-19-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-20-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-21-0x0000000000400000-0x000000000140B000-memory.dmp

memory/4508-22-0x0000000000400000-0x000000000140B000-memory.dmp