cobaltstrike

General

Target

mouse-jiggler_uTUBd-1.zip
Size

1.9MB
Sample

240912-25l14s1dkh
MD5

29b55147ef2f9e1f76c5209210790971
SHA1

e11bd4b8b0f5711314f89fe5ba840e424da75535
SHA256

6e64e3556c669708a3ad7a26c29a7044074a559507fa7f988c0612c42519ceb9
SHA512

3d399a84741ef125cbfbebeeb87dd1d6bd430c94d60f419a95c09433b26a13cf6ea99bf7c89b27d14ee4198528abae2b47f3976b82083a0019c81ac90001d5df
SSDEEP

49152:38y/wh+EEFITayYE0jo8e40BcfdU3E3Fnkk6Gh5:Ji9ayYEjN4MVwFnEG7

Score

10^/10

Malware Config

Targets

- Target
  
  mouse-jiggler_uTUBd-1.exe
- Size
  
  2.4MB
- MD5
  
  d8ad93ef2790aa264ab569f5ba8a67cb
- SHA1
  
  67b01f6a855b6c5def8863b0d2ef157a44762a28
- SHA256
  
  94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
- SHA512
  
  5fdc98ed246ada2f1db0335fed19eb72b776bf7075ebd3e0c4d16cdc448e285a9e63141c487e3c96297b876313ccc7ed135689ece9223e3d0d9526169e6d0d95
- SSDEEP
  
  49152:nBuZrEUJje0NQq5rISAGFncaWt+ugsv6fhcUiVoX:BkLxNNC7e9Wt+ugsv6fhcsX
Score

10^/10

cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies powershell logging option
  evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1