cobaltstrike

Resubmissions

03-09-2024 20:54

240903-zp4vwawhmm 10

28-08-2024 22:02

240828-1x5ykszhmm 10

Sharing

Copy URL

Twitter E-mail

General

Target

https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
Sample

240903-zp4vwawhmm

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Targets

- Target
  
  https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
Score

10^/10

discovery cobaltstrike crimsonrat kaiten backdoor bootkit botnet defense_evasion evasion macro macro_on_action persistence privilege_escalation ransomware rat spyware stealer themida trojan upx xlm
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Detects Kaiten/Tsunami Payload
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Sets service image path in registry
  persistence
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1 behavioral2