cobaltstrike | f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669 | Triage

Submit
Reports

Overview

overview

Static

static

1

Sad Satan_qcxh-W1.exe

windows10-1703-x64

8

Sad Satan_qcxh-W1.exe

windows7-x64

8

Sad Satan_qcxh-W1.exe

windows10-2004-x64

Sad Satan_qcxh-W1.exe

windows11-21h2-x64

8

Sharing

General

Target

Sad Satan_qcxh-W1.exe
Size

13.8MB
Sample

240924-c5nr9swfma
MD5

f3f16a12cdaf4e3fe51bece5dff8970f
SHA1

e4bb36e12d8f566617f940c32764870e052a89b7
SHA256

f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
SHA512

5b5837ee05f3a16c645613c5e0462b6d81d6e1dc183156b790e42cd8348fa6b391bdc84de43131cba4c568aba2be308d6e3020c829df0f11d44fd923f8cd827f
SSDEEP

393216:MBBTeN30LpEiSCC9XSpIFwah3RuINhkU9he:ktwkLps9Xhrhhuahk7

Score

10^/10

cobaltstrike backdoor bootkit defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Sad Satan_qcxh-W1.exe

Resource

win10-20240404-en

discovery evasion persistence privilege_escalation spyware stealer

windows10-1703-x64

40 signatures

150 seconds

Behavioral task

behavioral2

Sample

Sad Satan_qcxh-W1.exe

Resource

win7-20240903-en

bootkit discovery evasion execution persistence privilege_escalation spyware stealer

windows7-x64

38 signatures

150 seconds

Behavioral task

behavioral3

Sample

Sad Satan_qcxh-W1.exe

Resource

win10v2004-20240802-en

cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan

windows10-2004-x64

48 signatures

150 seconds

Behavioral task

behavioral4

Sample

Sad Satan_qcxh-W1.exe

Resource

win11-20240802-en

defense_evasion discovery evasion persistence privilege_escalation spyware stealer

windows11-21h2-x64

39 signatures

150 seconds

Malware Config

Targets

- Target
  
  Sad Satan_qcxh-W1.exe
- Size
  
  13.8MB
- MD5
  
  f3f16a12cdaf4e3fe51bece5dff8970f
- SHA1
  
  e4bb36e12d8f566617f940c32764870e052a89b7
- SHA256
  
  f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
- SHA512
  
  5b5837ee05f3a16c645613c5e0462b6d81d6e1dc183156b790e42cd8348fa6b391bdc84de43131cba4c568aba2be308d6e3020c829df0f11d44fd923f8cd827f
- SSDEEP
  
  393216:MBBTeN30LpEiSCC9XSpIFwah3RuINhkU9he:ktwkLps9Xhrhhuahk7
Score

10^/10

discovery evasion persistence privilege_escalation spyware stealer bootkit execution cobaltstrike backdoor trojan defense_evasion
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Downloads MZ/PE file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies Windows Firewall
  evasion
- Modifies powershell logging option
  evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Netsh Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

Software Discovery

Security Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalationspywarestealer

behavioral2

bootkitdiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealer

behavioral3

cobaltstrikebackdoordiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

behavioral4

defense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

© 2018-2025

Terms | Privacy