Malware Analysis Report

2024-10-19 06:22

Sample ID 240929-sjv78asela
Target 4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973
SHA256 4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973
Tags
cobaltstrike 0 100000 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973

Threat Level: Known bad

The file 4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 0 100000 backdoor trojan

Cobaltstrike

Blocklisted process makes network request

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-29 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 15:09

Reported

2024-09-29 15:12

Platform

win7-20240903-en

Max time kernel

123s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973.dll,#1

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973.dll,#1

Network

Country Destination Domain Proto
JP 103.106.0.20:57540 103.106.0.20 tcp
JP 103.106.0.20:57540 103.106.0.20 tcp
JP 103.106.0.20:57540 103.106.0.20 tcp

Files

memory/1044-1-0x00000000001B0000-0x00000000001F1000-memory.dmp

memory/1044-0-0x000007FEBCBF0000-0x000007FEBCC00000-memory.dmp

memory/1044-4-0x000007FEFCC00000-0x000007FEFCC6C000-memory.dmp

memory/1044-3-0x000007FEFCC00000-0x000007FEFCC6C000-memory.dmp

memory/1044-2-0x000007FEFCC01000-0x000007FEFCC02000-memory.dmp

memory/1044-5-0x0000000000330000-0x000000000037F000-memory.dmp

memory/1044-6-0x0000000000330000-0x000000000037F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 15:09

Reported

2024-09-29 15:12

Platform

win10v2004-20240802-en

Max time kernel

127s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973.dll,#1

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b3fe40f53343c85fc58f63ffb5afff75deb4ac0a31603a6bbbefcc671609973.dll,#1

Network

Country Destination Domain Proto
JP 103.106.0.20:57540 103.106.0.20 tcp
US 8.8.8.8:53 20.0.106.103.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
JP 103.106.0.20:57540 103.106.0.20 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
JP 103.106.0.20:57540 103.106.0.20 tcp

Files

memory/2208-1-0x000001A549530000-0x000001A549571000-memory.dmp

memory/2208-0-0x00007FFE4BC00000-0x00007FFE4BC10000-memory.dmp

memory/2208-2-0x000001A549580000-0x000001A5495CF000-memory.dmp

memory/2208-3-0x000001A549580000-0x000001A5495CF000-memory.dmp

memory/2208-5-0x000001A549580000-0x000001A5495CF000-memory.dmp

memory/2208-7-0x000001A549580000-0x000001A5495CF000-memory.dmp