General

  • Target

    LisectAVT_2403002B_56.exe

  • Size

    723KB

  • Sample

    240725-b2ejrazgpl

  • MD5

    9558ed100341ccc230134aa25bd69a65

  • SHA1

    5cfa51394e43a1fdc03133ef79b74399642b5130

  • SHA256

    4ae113138120fbf090ef2fe8f7e54e51969b2cf2f0a4f4aa6ca0da2441402299

  • SHA512

    811a9dca957898f1a7d750d00463681f6dc89bffdc00044b184c20f644946facdd4fe3358a45cce28f0e961ebe0cc8d1268816adbfe7d2c85a9545bb43d00cd0

  • SSDEEP

    12288:tGHCnaomAEg3uPdkgNASJxRgj68dOXYYSlbZiI6w9IB:tGHCm8uPdJ+SJ7gj9dOI90w9IB

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://ns1.icbc-com-cn.com:53/jquery-3.3.1.min.js

http://ns2.icbc-com-cn.com:53/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    256

  • dns_idle

    1.908702538e+09

  • host

    ns1.icbc-com-cn.com,/jquery-3.3.1.min.js,ns2.icbc-com-cn.com,/jquery-3.3.1.min.js

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • maxdns

    255

  • polling_time

    12000

  • port_number

    53

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrTYWiJ/5CMst9xKN4Qp1M/umCsyBwdCK1jZz+GjtvwrwHGXYIO7orYhmjKeuV3RHc06dqlylaJgqr9pelZ123yWcyV4nDO1DUCfJsmGCZeVGhHZ5nopo4URuQd9z6Qq1YraNH86vrdl37BrYYhRGDkZTQXpCUSclajI8qIfBwLQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • watermark

    100000000

Targets

    • Target

      LisectAVT_2403002B_56.exe

    • Size

      723KB

    • MD5

      9558ed100341ccc230134aa25bd69a65

    • SHA1

      5cfa51394e43a1fdc03133ef79b74399642b5130

    • SHA256

      4ae113138120fbf090ef2fe8f7e54e51969b2cf2f0a4f4aa6ca0da2441402299

    • SHA512

      811a9dca957898f1a7d750d00463681f6dc89bffdc00044b184c20f644946facdd4fe3358a45cce28f0e961ebe0cc8d1268816adbfe7d2c85a9545bb43d00cd0

    • SSDEEP

      12288:tGHCnaomAEg3uPdkgNASJxRgj68dOXYYSlbZiI6w9IB:tGHCm8uPdJ+SJ7gj9dOI90w9IB

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks