Malware Analysis Report

2025-01-22 13:06

Sample ID 240725-b65aza1brp
Target LisectAVT_2403002C_180.exe
SHA256 c97119be1f838f352f9fe25ded24b3c2fc0dd99496d508f45d1e540b3be6131c
Tags
cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c97119be1f838f352f9fe25ded24b3c2fc0dd99496d508f45d1e540b3be6131c

Threat Level: Known bad

The file LisectAVT_2403002C_180.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan

Cobaltstrike

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-25 01:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 01:46

Reported

2024-07-25 01:49

Platform

win10v2004-20240709-en

Max time kernel

134s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 service-1kx1l5oj-1305976706.bj.tencentapigw.com.cn udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1932-0-0x00007FFEE5AE3000-0x00007FFEE5AE5000-memory.dmp

memory/1932-1-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/1932-2-0x00007FFEE5AE0000-0x00007FFEE65A1000-memory.dmp

memory/1932-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1932-4-0x00007FFEE5AE0000-0x00007FFEE65A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 01:46

Reported

2024-07-25 01:49

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_180.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-1kx1l5oj-1305976706.bj.tencentapigw.com.cn udp

Files

memory/2992-0-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

memory/2992-1-0x000000013FE60000-0x000000013FE68000-memory.dmp

memory/2992-2-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

memory/2992-3-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2992-4-0x000007FEF5640000-0x000007FEF602C000-memory.dmp