Overview

overview

10

Static

static

1

317d5493b4...f7.ps1

windows7-x64

3

317d5493b4...f7.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    317d5493b41bd268cd32c9108e77143ea4e9b084792122bad710f1b386dcf9f7.ps1

  • Size

    415KB

  • Sample

    240928-j8h5hswbnn

  • MD5

    066163f2508cf5071ac5b8c6f3d5c0ca

  • SHA1

    55e633d20b955154482b0c5d054bbcbe786c85ab

  • SHA256

    317d5493b41bd268cd32c9108e77143ea4e9b084792122bad710f1b386dcf9f7

  • SHA512

    cd96cb05e5187374f34c75a582f707548480d5c302b4008b1bb24c2b23a005a8cc27e89faac2fa7cb553c1a3385088c23c1aeae7f8854a1ce76af40863e2077e

  • SSDEEP

    6144:OhgRIhQQ2Nb32/QUw6GfYOfVAFlM0KwlMhUmk04Z+JlyMMQnLaZdcJYkHtHdG8+q:il+HLOiyAn02JlHtHdMEPrD

Score
10/10
cobaltstrike666backdoordiscoveryexecutiontrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://ovotecegg.com:443/wp-content/condensed-soups/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    6.7372036e+07

  • dns_sleep

    8.1297408e+08

  • host

    ovotecegg.com,/wp-content/condensed-soups/

  • http_header1

    AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • maxdns

    235

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF4otg7PLqPK9DRHSRAWCg2RQ4hXLImgcCXikvdf4N9sFBrpIEQsznrImUwv+9q+7voFNWL8Kh+mkeF+bGKcQCczSXFkKpPYvwwOEQeT8lPfiFAkT/eNHDuZY/xrjA4VMmgBRM3qvPbgi9lCPfOowsx6njNPJIeuQufRDk7p5u5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.154317312e+09

  • unknown2

    AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /imagedata/

  • user_agent

    Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36

  • watermark

    666

Targets

    • Target

      317d5493b41bd268cd32c9108e77143ea4e9b084792122bad710f1b386dcf9f7.ps1

    • Size

      415KB

    • MD5

      066163f2508cf5071ac5b8c6f3d5c0ca

    • SHA1

      55e633d20b955154482b0c5d054bbcbe786c85ab

    • SHA256

      317d5493b41bd268cd32c9108e77143ea4e9b084792122bad710f1b386dcf9f7

    • SHA512

      cd96cb05e5187374f34c75a582f707548480d5c302b4008b1bb24c2b23a005a8cc27e89faac2fa7cb553c1a3385088c23c1aeae7f8854a1ce76af40863e2077e

    • SSDEEP

      6144:OhgRIhQQ2Nb32/QUw6GfYOfVAFlM0KwlMhUmk04Z+JlyMMQnLaZdcJYkHtHdG8+q:il+HLOiyAn02JlHtHdMEPrD

    Score
    10/10
    executioncobaltstrike666backdoordiscoverytrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks