Overview

overview

10

Static

static

3

7508939c07...13.exe

windows7-x64

10

7508939c07...13.exe

windows10-2004-x64

10

7d14b98cdc...b0.exe

windows7-x64

10

7d14b98cdc...b0.exe

windows10-2004-x64

10

Resubmissions

04/12/2024, 11:30

241204-nmjalsyrbq 10

04/12/2024, 11:04

241204-m6pfastlex 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    220913-j719psahcl_pw_infected.zip

  • Size

    720KB

  • Sample

    241204-nmjalsyrbq

  • MD5

    84c7288625c23b6c2a0c2d1d7633c6e2

  • SHA1

    d69b7004a3e442c83ee73d02b449c13ecfc56651

  • SHA256

    2f3a05d6d6f8112288da101615f749ffd479cd535e1cc665c7851154e79bcab9

  • SHA512

    288e68ae151706cf7a0f1ce049eecf4c5659d8778e4bf225ab05578e5fb42d30311396d6a94dc74193a3ce1d9da7c4238fe1d34b3eb552590310f96c63c38ff7

  • SSDEEP

    12288:zaUjK0UwWIl61+m1n/uDJV1jiGogi6+vqhnZSk7Hvr+1fiOUuWd3:zBjHQj1d1nWDJDTog4ShZ7SRQua3

Score
10/10
cobaltstrikeplay206546002backdoordiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

206546002

C2

http://ateliernow.net:443/Dev/v3.84/DB579PI9XE

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    ateliernow.net,/Dev/v3.84/DB579PI9XE

  • http_header1

    AAAACgAAADJBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiB0aAAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgZ3ppcAAAAAcAAAAAAAAADwAAAAgAAAACAAAABl9HWGlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACxBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBmcgAAAAoAAAAWQWNjZXB0LUVuY29kaW5nOiBiciwgKgAAAAcAAAAAAAAADwAAAAsAAAAFAAAACV9HVUVaTElLUgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    12288

  • polling_time

    68823

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe -k wksvc

  • sc_process64

    %windir%\sysnative\systray.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJzVpu9+f4l/QIUotuiQA+vvxdM3q/XGu77WogAe90LRUknEdoD6YnU32G/ts9dbSwG6HySt7cLn5B3FsomLWjBbssH9e31TihCUvZbK6PRzmLW4SBgZigBWLXZgu7+SwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.141448704e+09

  • unknown2

    AAAABAAAAAEAAASeAAAAAgAABJ4AAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /Stop/element/X71JO9M7V

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

  • watermark

    206546002

Targets

    • Target

      7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13

    • Size

      1.2MB

    • MD5

      c312d68d160ae738bc46bcc4aa0ea97a

    • SHA1

      8572ff2bf304cdbce1498c5d7285cc033148c8d6

    • SHA256

      7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13

    • SHA512

      227fcc214e63e88acb6c435b5bafc63ac7480c1972d0cfaea01353efa9df77293bd0fb8e3e720b57c415e6da0816cb04089bcaf7d832b8b04487c03241d52771

    • SSDEEP

      24576:4cKqReEXbU+xrOtDZnNo1YlBBp5bXf222RYbw+vyVf2Zn:3FR/Q+5WDZNo1+B6RYb0VfQn

    Score
    10/10
    cobaltstrike206546002backdoordiscoverytrojan
    behavioral1behavioral2

    • Target

      7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0

    • Size

      128KB

    • MD5

      0ba1d5a26f15f5f7942d0435fa63947e

    • SHA1

      92284cdbefe3fe21a57aa1b0fba23dbca16069eb

    • SHA256

      7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0

    • SHA512

      a51135427d1c2e060fe2ab41595b09c532a0881801f7d6136384e3b1bd01bef6306d0e22394512b37b83523ad2db042fe60e655c65fc1f058a613d7418c33bc1

    • SSDEEP

      3072:sCo+6DIwRCIfgxfsYJIKdG5vOVpa/guB7nGj65aZf+HtEY/zuh6y7:u+6DIwRNgOuQ5GVpInI6kIy77

    Score
    10/10
    playdiscoveryransomwarespywarestealer

    • PLAY Ransomware, PlayCrypt

      Ransomware family first seen in mid 2022.

      ransomwareplay

    • Play family

      play

    • Renames multiple (8315) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks