2024-04-18-SSLoad-and-Cobalt-Strike-malware-and-artifacts[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-18-SSLoad-and-Cobalt-Strike-malware-and-artifacts.zip
Size

5.3MB
MD5

30b590347982e79f8af515d7f2e49ad7
SHA1

bca3f7a21b3444678b7c37831a311f0e1e172bb3
SHA256

4223688925e083fbc1fb17daf06664bd64a7ddc3db30cdc67cafbe6133567cbb
SHA512

9ccfa852d7685c115669a3270c959b9474d3256c98d4074a20f0d9209226e638e3ae12ba6375c24b64f2e1734b8661593c761ee4f76cf077b3ca00eaf143b71a
SSDEEP

98304:Kbrqq6Ubf2zDlX3hEXsfsKfYjx7sLinqMlaMAi6Ptbgk2MFuh3XJTUit1JhZq5VQ:KD+DlXxISxEx70oqLi6PJPFuNX2iDXwM

Score

8^/10

macro

Malware Config

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
static1/unpack001/Incident_Report_Harassment.doc

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/2024-04-18-CobaltStrike-DLL.bin
unpack001/2024-04-18-SSLoad-DLL.bin

Files

2024-04-18-SSLoad-and-Cobalt-Strike-malware-and-artifacts.zip
.zip

Password: infected_20240418
2024-04-18-CobaltStrike-DLL.bin
.dll regsvr32 windows:6 windows x64 arch:x64

Password: infected_20240418

fde5069783a744f97063c1afd7b8a158

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntdll

RtlCaptureContext
RtlUnwindEx
NtWriteFile
NtReadFile
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlPcToFileHeader

advapi32

SystemFunction036

bcrypt

BCryptGenRandom

kernel32

HeapSize
WriteFile
GetConsoleOutputCP
GetStringTypeW
SetStdHandle
WaitForMultipleObjects
GetCurrentProcessId
GetCurrentThreadId
GetCurrentThread
SetThreadPriority
Sleep
CloseHandle
FreeConsole
ReleaseSRWLockExclusive
FreeEnvironmentStringsW
DeleteProcThreadAttributeList
CompareStringOrdinal
GetLastError
SetThreadStackGuarantee
CreateWaitableTimerExW
SetWaitableTimer
WaitForSingleObject
QueryPerformanceCounter
AcquireSRWLockExclusive
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetCurrentProcess
GetCommandLineW
FlushFileBuffers
SetFileInformationByHandle
DuplicateHandle
SetFilePointerEx
GetStdHandle
SetHandleInformation
WriteFileEx
SleepEx
GetExitCodeProcess
TerminateProcess
TryAcquireSRWLockExclusive
HeapFree
HeapReAlloc
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseMutex
GetModuleHandleA
GetProcAddress
GetProcessHeap
HeapAlloc
FindNextFileW
FindClose
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
CreateDirectoryW
FindFirstFileW
GetFinalPathNameByHandleW
CreateEventW
ReadFile
GetOverlappedResult
CancelIo
GetConsoleMode
GetFileType
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
SetCurrentDirectoryW
ExitProcess
CreateNamedPipeW
ReadFileEx
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
MultiByteToWideChar
WriteConsoleW
WideCharToMultiByte
CreateThread
GetFullPathNameW
GetSystemTimeAsFileTime
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
LCMapStringW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
GetModuleHandleExW
LoadLibraryExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
EncodePointer
InterlockedFlushSList
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW

ws2_32

connect
getaddrinfo
WSASocketW
send
recv
WSAGetLastError
freeaddrinfo
WSACleanup
WSAStartup
closesocket

Exports

Exports

DllGetClassObject
DllRegisterServer
DllUnregisterServer
ebsbqoV

Sections

.text
Size: 254KB - Virtual size: 254KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2024-04-18-IOCs-from-SSLoad-infection-with-Cobalt-Strike-DLL.txt
2024-04-18-SSLoad-DLL.bin
.dll regsvr32 windows:5 windows x86 arch:x86

Password: infected_20240418

c5b12c669953a1f4f98cd32040d998ff

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\vmagent_new\bin\joblist\500965\out\Release\MenuEx.pdb

Imports

mpr

WNetGetConnectionW

kernel32

FindClose
FindFirstFileW
FlushFileBuffers
GetFileAttributesW
GetLongPathNameW
GetTempFileNameW
WriteFile
GetTempPathW
CloseHandle
WaitForSingleObject
OpenMutexW
Sleep
GetExitCodeProcess
CreateThread
GetExitCodeThread
CreateProcessW
GetSystemInfo
GetVersion
GetVersionExW
FindResourceExW
FreeResource
GetModuleHandleA
LockResource
LoadLibraryW
InitializeCriticalSectionAndSpinCount
DeleteFileW
GlobalLock
GlobalFree
MulDiv
lstrcmpiA
lstrcpynA
lstrcpynW
lstrlenW
GetPrivateProfileStringW
WideCharToMultiByte
OutputDebugStringW
GetFileType
GetFileInformationByHandle
GetDriveTypeW
LeaveCriticalSection
EnterCriticalSection
GetProcessHeap
GetSystemDirectoryW
GetTickCount
DeviceIoControl
SetLastError
GetFullPathNameW
LCMapStringW
InterlockedFlushSList
RtlUnwind
InitializeSListHead
GetSystemTimeAsFileTime
CreateFileW
MultiByteToWideChar
lstrcmpiW
FindResourceW
SizeofResource
LoadResource
LoadLibraryExW
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
FreeLibrary
DisableThreadLibraryCalls
GlobalUnlock
DeleteCriticalSection
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
RaiseException
AreFileApisANSI
GlobalAlloc
PeekNamedPipe
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
FormatMessageW
IsDebuggerPresent

user32

SystemParametersInfoW
LoadStringW
WaitForInputIdle
GetSystemMetrics
InsertMenuW
SetMenuItemBitmaps
InsertMenuItemW
DrawTextW
GetDC
ReleaseDC
GetSysColor
FindWindowW
LoadImageW
CharNextW
UnregisterClassW

gdi32

SetDIBits
GetDIBits
ExtTextOutW
GetObjectW
SetTextColor
SetBkMode
SetBkColor
SelectObject
GetDeviceCaps
DeleteObject
DeleteDC
CreateFontIndirectW
CreateCompatibleDC

advapi32

RegQueryValueExW
RegSetValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
SystemFunction036
ImpersonateSelf
RevertToSelf

shell32

ShellExecuteExW
DragQueryFileW

ole32

ReleaseStgMedium
CoInitialize
CoUninitialize
CreateStreamOnHGlobal
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
StringFromGUID2
CoCreateInstance

oleaut32

LoadTypeLi
SysFreeString
RegisterTypeLi
UnRegisterTypeLi
VarUI4FromStr
LoadRegTypeLi
SysStringLen
SysAllocString

shlwapi

PathAppendW
SHGetValueW
PathFileExistsW
SHDeleteKeyW

msimg32

AlphaBlend

gdiplus

GdipDrawImageRectI
GdipSetInterpolationMode
GdipSetPixelOffsetMode
GdiplusShutdown
GdipSetSmoothingMode
GdipDeleteGraphics
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipAlloc
GdipFree
GdiplusStartup
GdipCloneImage

msvcrt

wcsncmp
memmove
strlen
fclose
setlocale
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_cexit
_amsg_exit
__getmainargs
__wgetmainargs
_environ
_wenviron
atexit
_initterm
__CxxFrameHandler
__DestructExceptionObject
?raw_name@type_info@@QBEPBDXZ
_wcslwr
__pctype_func
_iob
_wgetenv
_wputenv
__doserrno
atof
getenv
_putenv
getwc
_wfopen
_wfreopen
_wtmpnam
__wcserror
_strerror
_wasctime
_wctime64
asctime
_ctime64
_gmtime64
_localtime64
_mktime64
_waccess
_wfindfirst64
_wfindnext64
_wsopen
_access
atoi
_findfirst64
_findnext64
_lseeki64
_sopen
clearerr
fgetpos
??_U@YAPAXI@Z
fread
??3@YAXPAX@Z
fsetpos
getc
tmpnam
___lc_codepage_func
_Getdays
_Getmonths
_Strftime
_fstat64
_ftime64
_lock
_unlock
_assert
wcscmp
_dstbias
_timezone
_tzname
_sys_errlist
_sys_nerr
tolower
___mb_cur_max_func
wcstol
strtol
localeconv
abort
_CxxThrowException
wcslen
wcspbrk
_wfullpath
_getdrive
wcsstr
memset
memcpy
__dllonexit
_itow
_ltow
_ultow
_i64tow
_ui64tow
_wsplitpath
_wsearchenv
_itoa
_ltoa
_ultoa
_i64toa
_ui64toa
_ecvt
_fcvt
_gcvt
_splitpath
_searchenv
_controlfp
_control87
_wmktemp
_chsize
_mktemp
_wstrtime
_strtime
tmpfile
_cgets
_cgetws
_XcptFilter
_pwctype
__lc_collate_cp
_isatty
fflush
_fileno
mbtowc
wctomb
___lc_handle_func
strrchr
iswctype
wcsrchr
_CIlog10
ceil
_clearfp
?terminate@@YAXXZ
_msize
realloc
_wctime
ctime
gmtime
localtime
_ftime
memcmp
_daylight
malloc
free
_errno
??_V@YAXPAX@Z
??2@YAPAXI@Z
fputc
fwrite
fputwc
wcschr
freopen
fopen
_umask
_wcsicmp

ntdll

RtlAdjustPrivilege
RtlNtStatusToDosError
RtlDetermineDosPathNameType_U
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtCreateFile
NtSetInformationFile
NtClose

msvcp60

mbsrtowcs

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 193KB - Virtual size: 192KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2024-04-18-scheduled-task-for-SSLoad.txt
Incident_Report_Harassment.doc
.doc windows office2003

ThisDocument

Module1

UserForm1

Sharing

General

Malware Config

Signatures

Files

Password: infected_20240418

Password: infected_20240418

fde5069783a744f97063c1afd7b8a158

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

advapi32

bcrypt

kernel32

ws2_32

Exports

Exports

Sections

.text Size: 254KB - Virtual size: 254KB

.rdata Size: 89KB - Virtual size: 89KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 12KB - Virtual size: 12KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 1.3MB - Virtual size: 1.3MB

.reloc Size: 3KB - Virtual size: 2KB

Password: infected_20240418

c5b12c669953a1f4f98cd32040d998ff

Headers

File Characteristics

PDB Paths

Imports

mpr

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

msimg32

gdiplus

msvcrt

ntdll

msvcp60

Exports

Exports

Sections

.text Size: 193KB - Virtual size: 192KB

.rdata Size: 76KB - Virtual size: 76KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 1.6MB - Virtual size: 1.6MB

.reloc Size: 9KB - Virtual size: 9KB

ThisDocument

Module1

UserForm1

.text
Size: 254KB - Virtual size: 254KB

.rdata
Size: 89KB - Virtual size: 89KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 12KB - Virtual size: 12KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 193KB - Virtual size: 192KB

.rdata
Size: 76KB - Virtual size: 76KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 1.6MB - Virtual size: 1.6MB

.reloc
Size: 9KB - Virtual size: 9KB