Overview

overview

10

Static

static

10

2024-08-18...at.exe

windows7-x64

10

2024-08-18...at.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.7MB

  • MD5

    45f066add633849d906229f65f4e5302

  • SHA1

    0d42cc4b30fa2449068c853bc5bbfe98508d1442

  • SHA256

    1e88611707576ec671867cb181a51f9ec80b2e9c3d29c3907bc11cb91f86e9f4

  • SHA512

    0b05f77eb9714f32198694fe44ecf6398d503d7c019e5166441d60f0cb0984fb2ad30579c5e4b27161e1f41b0935ef0a4d5963a8a04564db56ae1d79d6944373

  • SSDEEP

    98304:GemTLkNdfE0pZaN56utgpPFotBER/mQ32lUn:J+156utgpPF8u/7n

Score
10/10
cobaltstrikexmrig0backdoorminertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 21 IoCs
    miner
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System\UwBaKvH.exe
      C:\Windows\System\UwBaKvH.exe
      2⤵
      • Executes dropped EXE
      PID:2072
    • C:\Windows\System\ppZgKCU.exe
      C:\Windows\System\ppZgKCU.exe
      2⤵
      • Executes dropped EXE
      PID:1808
    • C:\Windows\System\LrtegcW.exe
      C:\Windows\System\LrtegcW.exe
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\System\PcccdYF.exe
      C:\Windows\System\PcccdYF.exe
      2⤵
      • Executes dropped EXE
      PID:2536
    • C:\Windows\System\QVYvmVh.exe
      C:\Windows\System\QVYvmVh.exe
      2⤵
      • Executes dropped EXE
      PID:2104
    • C:\Windows\System\VsTPfXj.exe
      C:\Windows\System\VsTPfXj.exe
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\Windows\System\EQxiIbr.exe
      C:\Windows\System\EQxiIbr.exe
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\System\LulxvRI.exe
      C:\Windows\System\LulxvRI.exe
      2⤵
      • Executes dropped EXE
      PID:2884
    • C:\Windows\System\SgAlENJ.exe
      C:\Windows\System\SgAlENJ.exe
      2⤵
      • Executes dropped EXE
      PID:2912
    • C:\Windows\System\zxYhFtl.exe
      C:\Windows\System\zxYhFtl.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\jDAgTSn.exe
      C:\Windows\System\jDAgTSn.exe
      2⤵
      • Executes dropped EXE
      PID:2856
    • C:\Windows\System\QuMEqSe.exe
      C:\Windows\System\QuMEqSe.exe
      2⤵
      • Executes dropped EXE
      PID:2848
    • C:\Windows\System\frsWtAH.exe
      C:\Windows\System\frsWtAH.exe
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\System\gQPSEGx.exe
      C:\Windows\System\gQPSEGx.exe
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\Windows\System\NfZZBwW.exe
      C:\Windows\System\NfZZBwW.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\eBwYOox.exe
      C:\Windows\System\eBwYOox.exe
      2⤵
      • Executes dropped EXE
      PID:2648
    • C:\Windows\System\AvUHRnQ.exe
      C:\Windows\System\AvUHRnQ.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\Qriqwxs.exe
      C:\Windows\System\Qriqwxs.exe
      2⤵
      • Executes dropped EXE
      PID:3060
    • C:\Windows\System\yfehqdv.exe
      C:\Windows\System\yfehqdv.exe
      2⤵
      • Executes dropped EXE
      PID:2356
    • C:\Windows\System\KcxtXnN.exe
      C:\Windows\System\KcxtXnN.exe
      2⤵
      • Executes dropped EXE
      PID:1100
    • C:\Windows\System\NXIYvrY.exe
      C:\Windows\System\NXIYvrY.exe
      2⤵
      • Executes dropped EXE
      PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\AvUHRnQ.exe
    Filesize

    5.7MB

    MD5

    9078994bcabb6d7570fc8456ee2fbc07

    SHA1

    2417147fd7b6785fcdd11cb21ce6ab6786c5f0c5

    SHA256

    e88f2a7f5e506e2d44cf1a467ceffcbd63b2ae75c446e9dcc7dda78f07e6278a

    SHA512

    205464a3288b53f4f65c1cab185a146d5f7dac88628b950059a43e1b6bdbebe09df2753986cc30bc25f718bc9d0cd0c6acd010f1e0226033700b562c75719374

    Download Submit

  • C:\Windows\system\EQxiIbr.exe
    Filesize

    5.7MB

    MD5

    06c1cf90032d4255d648d61b6044e1d3

    SHA1

    9cb2f7e9f54233387573e7f091ddf619e6d51393

    SHA256

    dc0a6664fef3dea9c5e57c7cfed2d7ea97e04929a34ab03fdadb8d264e2d3c21

    SHA512

    5bdcbadb419603cb248542e789008ed9333c4949ad3a2e636f657d73b5f3ba97f8d8a60b6b34e1fb1d9937f1231ce75d2ffffb42fdb64d4e43335459430a4b61

    Download Submit

  • C:\Windows\system\KcxtXnN.exe
    Filesize

    5.7MB

    MD5

    0dad8d41ff4da35771fd54b6dff1b72d

    SHA1

    8903d2c2cddc0437ddfc7a77e5b08251a825237f

    SHA256

    835aa77b3d355db371fd038e613c8f7295ae9f1a4ced600bdb3794cf40f40962

    SHA512

    3a797108d481d74a0ac4dfe2fae6379e70eae170eb766875667ca47a908ccdc14f4411095eaed965f7672ed4984d881585080dd3fa76b3a276d79476bed63ade

    Download Submit

  • C:\Windows\system\LrtegcW.exe
    Filesize

    5.7MB

    MD5

    5512c2f70bbba45d1ed0805786c4fa89

    SHA1

    88281a2d786942e711165eb3dfe975fc920c8f39

    SHA256

    e992ca555b5108c8ccce1cb441988b1aa295c9b93c4367d9582dd666dc978327

    SHA512

    6a139684325a033711a32e63bc5098134538382f22d3889b918e74199e79342b08a576bea200e2771c30ec7315e7134c39de2808fe0bc8d081123489ec585158

    Download Submit

  • C:\Windows\system\NXIYvrY.exe
    Filesize

    5.7MB

    MD5

    46de17b87e88a8ca9a606d2f04c9cd55

    SHA1

    b8f519b6f78de17661dcd7e110fa8f08d3808335

    SHA256

    0597dc2e5a032b7b879d1a7af297dc7d2ece9c0508dbc4a39a3a90193a550f01

    SHA512

    dad06264b2de65c682a20df36829e18e342d40102b75f6f1fc7cb8957598d7425e5ca4f5526669d6966c1457c6e0fe700fd12b2d16326e3b629ef43d5a4c6af7

    Download Submit

  • C:\Windows\system\NfZZBwW.exe
    Filesize

    5.7MB

    MD5

    40be498626013ab151e9207dbf398760

    SHA1

    02cf75bb0e9ea239a581a9cd2f5700a93e8aac54

    SHA256

    016f0a6a5cc300a299850375f6446060168540239a9a2f01b25de77b6ed16cd3

    SHA512

    68a13baf22c5611b85b471056054daefa53d6f7412747205e9f773466f5b7bb533d5b42770aee8ea5c566cadbc2292c78537a6c786099ebe4c8a93dfbb984a37

    Download Submit

  • C:\Windows\system\PcccdYF.exe
    Filesize

    5.7MB

    MD5

    fd871e76323686b33cb6784a1fcccaec

    SHA1

    1435daf326a589a06cc6ba7ed08e9d45de5a4e72

    SHA256

    17d590e06da88c8ceaaa11ea8be131837f63a5f5a053b9c2f53a1e3d58fd095e

    SHA512

    801fc8b3b447b84bddf70eb6fcb6f4f8114bca71df8dac2167184414c1a0e1f7e39ba47b6249c57e2919e9aa204a42c5af0981ba8823910a789a3f9b88b77087

    Download Submit

  • C:\Windows\system\QVYvmVh.exe
    Filesize

    5.7MB

    MD5

    a2a4e6005ef4366f17e3989356d0a421

    SHA1

    2e136179d8a9da64f132ea269aaa7eefff6913f0

    SHA256

    a997031742ad368d68f09cd8a39fbbfeb8a4f5c73d251d289904a7600792021d

    SHA512

    74e453962e597da69028dd0bf8e8f8d17e1506f97f4cfd030c11502182aaab57e55f3246188c8cec484e8848f81a9778aaac40169509bd1d48095555b924a2f7

    Download Submit

  • C:\Windows\system\Qriqwxs.exe
    Filesize

    5.7MB

    MD5

    c691a0f4c0bd1b8fce5d92bbe60693ca

    SHA1

    de5676551632f3c59f7aaffd27247a3bccef8fe2

    SHA256

    6bb4173914f370dfbb7f1a2a856217d26484b02d587692e3592c0e2f0d0ef9be

    SHA512

    a082c8698f45076e43c37b031836a94f140f4a87fe364980ed46bf2b5bd5f572283d823934114efa4ba4cdcfc6e23aae86dc5069904872bf38f4811a834ece60

    Download Submit

  • C:\Windows\system\QuMEqSe.exe
    Filesize

    5.7MB

    MD5

    f5407463fc9bda22b645ef68b1842da1

    SHA1

    31dc3cfc3483548f97e70886ef122e98ec801a22

    SHA256

    18b2bb3163041d69c123ba8e2c2849a5844a2f530554dd80dec802c36f18857b

    SHA512

    2059c5a1b542ab1496c4fc0c7ca380375dab72849776d7ce1c0923fa69087521871bace43c2680799e429561969c30b3a5c29338eb8ef97b5b6cfced37ef5044

    Download Submit

  • C:\Windows\system\SgAlENJ.exe
    Filesize

    5.7MB

    MD5

    b3e5e5331c46233d26329ca68ef44ca3

    SHA1

    201a9a14c87f98f0c5f8aa4dee6b3273af57bc7a

    SHA256

    b35ac697d1640671581da147dc41a78ee5f24c3c936ef0372a03543b7981a558

    SHA512

    b1f2c41c373bacaa869ae8cbd986e17dfb28c3553d6ea5841de52eb4ca5b5f647d49b7f079583d651dfef4f2ca87ca73515dfc81bf98e3aa4da7624c589f7ac7

    Download Submit

  • C:\Windows\system\UwBaKvH.exe
    Filesize

    5.7MB

    MD5

    b0c1beedf93a4171ceba26fc6eddcd50

    SHA1

    272a2c319bcdad4b24d6ebe35d4eb3857933213e

    SHA256

    37928ae0a3b287c214c52b966678bbf7c68eaa2b5a8bb1db8b26dcb7bae5035f

    SHA512

    349649658b0838a89c0c10fb70cd493c612641c8d8348a2e3bd1928cdcaa11c28e0f77c810f54b54a50e0eb8cc95d25d0fe5b17d6f4a2e94cc632686fe9478c6

    Download Submit

  • C:\Windows\system\VsTPfXj.exe
    Filesize

    5.7MB

    MD5

    31c34f95a8490ec65001ab440277adb1

    SHA1

    da0519ae85ae3f14377586d7aa222a502712b960

    SHA256

    5124e89aed5f4aab0d3406fcc33e4d9ddce413f5dc4f2f4b8f6486784c1a9cdf

    SHA512

    99008516b1f9e4c1429b963c8e41ad9d7162336038f15f759c1b3d3266252fa63fc37a4f759b3adff7a1f73aec4ca68fbc524578fa91288ada909456f77c8b1e

    Download Submit

  • C:\Windows\system\eBwYOox.exe
    Filesize

    5.7MB

    MD5

    965593f96fe543a7b1e93a3833e43a84

    SHA1

    338e9a32b76749b7ee682d718dd34c564f60020e

    SHA256

    3691632b594c430676045e43ad4088c5d3fab5520431c8e24a67a731ba8d37ef

    SHA512

    7efa674b900a3ff13b26645861f13d69afa8ea2b070291ec43eb396a894c482d7b685f775e89029739c1006dbc5dd840780288e8af71c9bb042bcb7c88ff679a

    Download Submit

  • C:\Windows\system\frsWtAH.exe
    Filesize

    5.7MB

    MD5

    7e96910e664fabe16ed116f421fe0083

    SHA1

    fcaeb53c3be8428862617765f835d493f947cd5a

    SHA256

    38c57ccab638427992c2d9a800055acf62d204598a1286152c03fdfd0c6f1d89

    SHA512

    37fa6e97e0828456b7c57e948ea4b848d8fef1d3ee72959332e5360f4e6aff70658589e99af56725361ac06e348afd4f5b248ff769e73d4bb8248a139910cdf5

    Download Submit

  • C:\Windows\system\gQPSEGx.exe
    Filesize

    5.7MB

    MD5

    1cb9f0e48f50891080baa29987223cd3

    SHA1

    20abfe94935c0a04b1dcaa67b01ae3465fb0daaf

    SHA256

    e8949eb5bb2afc85f6cae5da570118ac681abffc098b643f77308d1ebfd1dfdc

    SHA512

    c3d0f031ce18009891d8b48678f44b8e0930d1f49dc5845d90313986bf5433c1e17f0a23b2f4f747e203399badec3ea2c7173a551c57c04ae1d7f247dd494bdf

    Download Submit

  • C:\Windows\system\jDAgTSn.exe
    Filesize

    5.7MB

    MD5

    a769b74c918c7c85786bb321800e4981

    SHA1

    9c6bf307042f9dec55a75518ae15ed97ba52a7db

    SHA256

    b679b21ae566ed036a8d5477485a7cfd8f83594a195554654c85942b2611ffb0

    SHA512

    c111c48aae196ae312af984f3e8e2d3075c2167cf378b1ffaaf57552a6bf00a6417bac16d9dbbf496bfffa4456e47d92e0d35aee09f6d642be004c9254c245f2

    Download Submit

  • C:\Windows\system\yfehqdv.exe
    Filesize

    5.7MB

    MD5

    1fd12bb4e70468e0d15a80bd0b00991f

    SHA1

    a7d068709418aa5c8cafc8905fa93623d79d5b4d

    SHA256

    32824ad499f900a4f1a0a6477025aaa154cd7090658eb342763e358e739272ef

    SHA512

    a246ee50f40458deecdeea954ab752b3ada6957016c3d3de44478a9c401aba90ee56c4254fb63d3ee6bc1a4967b3fe3060ef3a99b9a938fd77b15a80c862b6cd

    Download Submit

  • C:\Windows\system\zxYhFtl.exe
    Filesize

    5.7MB

    MD5

    7bb30403a738309142a7ff03d320efa3

    SHA1

    8f8e948f02e8900855028b6f2d90c20a827a55e0

    SHA256

    979f1a89204561c25dc70ab3e11d20e65c80ab44fedee00db2edc2d9f8f00ae9

    SHA512

    ab6b352fc2474b6f2148a69f8c0c87c760ae2ad4bdc069baf13bb9c0ae6621165ba5f8ed7426f3c8c70ac4913889d41a6a8312884d9663c3bed57060fa17838e

    Download Submit

  • \Windows\system\LulxvRI.exe
    Filesize

    5.7MB

    MD5

    2449ab6ce5913374e8d2f5debfe4e980

    SHA1

    382fe9619e7ff68a8957b955fde2da372d7b6583

    SHA256

    bf6f5b199a19aebd0816b600069d66de28d998836157ef1dfd6b46e789085e75

    SHA512

    95f4f1606294e0e94b68a39ec62441aed63bc167d388b41a9a77f587f78abb744e1e1f690edffe3027923909c210e7d88b2227711285747aed527a3a86f0d5a8

    Download Submit

  • \Windows\system\ppZgKCU.exe
    Filesize

    5.7MB

    MD5

    53188777bc1f74fa5778196d877cdd2c

    SHA1

    2de85a115a5d262992235074abedf290b9bfde26

    SHA256

    06ec21e38481cd8a2e44cd0d96e1d9f71ccf05e470148cbb7637e9dbab4b43b9

    SHA512

    48de682fb7bd3af531398b4cf0e6bb6e1df4f15df2fceca491e34b8d1a12de1d80ac02cd2f22e085d98523c86776f4c08f0b317585228fb27c7c818acdd872bc

    Download Submit

  • memory/2968-0-0x0000000000180000-0x0000000000190000-memory.dmp

    Filesize

    64KB

    Download