cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

5x(24-12-05).zip
Size

47.4MB
Sample

241205-j6saeasjgp
MD5

d18193958388d83d65776a8eb316221a
SHA1

f29188ca7f732cdfb938a7576760b0cb0af0bbd0
SHA256

9818f5ae8db0a91f8375c40cf80c0ed333d92e2692babd57c2fcd35ec76a1218
SHA512

a87e0d72378aacdab6bac1696c69983dedbb9f4a64cef6ee20d7dd946eef2cfd84e2ae2157321d9f2bcfaeb51c99788f79b6b0ba3f34fbc185a947bbda682c55
SSDEEP

786432:pZQBVFK5ZpKYuM5q1DPm1aaQqApbpZUSrrMTJU3a9yU4NIMQL0VytoHjWYhqb6eu:piBVQZUFMUxPmADqmZrwdU3BU4NYQVyE

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

TONY

85.31.47.62:45356

127.0.0.1:45356

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0ZKXJG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Credentials

Protocol: ftp
Host:
154.91.90.51
Port:
21
Username:
123
Password:
123

Extracted

Family

cobaltstrike

http://192.168.134.128:80/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129

Targets

- Target
  
  NEW_0RDERLISTDEC2024.exe
- Size
  
  1016KB
- MD5
  
  907f9ec00dae9c158416379d2b961bd6
- SHA1
  
  40bb66f564f34037a25cd55e0a6da67abe09d7c0
- SHA256
  
  2bfe76169602cd81c584da62335fd8f3bd94a8693e20c9fb2f1f3dfa5cd43130
- SHA512
  
  67c95bfe6dbf36d9de67159f43a5f437ea818cec18502fac8cfc657abe5457980bf3037fcec4350487385d7a8047d7df9018cc7a93757787ee31e1b234fa4b05
- SSDEEP
  
  24576:I/fiNRFxKsPwGuRWNoYPe+7injApBoQ81RzC:I/KDzlwJoyYWW8AAlRzC
Score

10^/10

remcos tony collection credential_access discovery execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  [2024]第 082 号文..。.。...exe
- Size
  
  23.2MB
- MD5
  
  4b3f14be827a7f1e3621d7544cf02b95
- SHA1
  
  21e20722e68045ab8fb1eecc67793ef691893609
- SHA256
  
  2fbd83b638d60aa2170a2c3c65870b0710582018942a434b2a0130df3c1e14a5
- SHA512
  
  f902014647bc8ba5a420b102bd93d18a41f04e8e09676212c55bc26bf2085e1bf02d1ae2ee4bd90ddb1226307c2c8d3447a751d0a41859cc5a4634ed93bf4707
- SSDEEP
  
  393216:JfEIHdtmFbNZwY5C82CUegQQVctb6A0CigulHbG0S8ZMvZ2:JHdkLuY5YCP06m/CbuBhfMvZ2
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  signtest_modified.exe
- Size
  
  842KB
- MD5
  
  998a29316c6bdbca22c0ba910f6dc5a6
- SHA1
  
  bccec1cef97bdd99f97e72e08a76a44684ab63ff
- SHA256
  
  9c5c6cb855ed93122f8582bdd7a83898062ab7867490598fa4fd507487f2e5a4
- SHA512
  
  7b8ea3b757291e3812bd9da942f97cf1cd368d3e8a80c9ef1028d06c6c028cae6195fac71ba92aa560039c14d97d349df582c2774e7505b310c235822092561e
- SSDEEP
  
  12288:EiV/9kuynK+Fo4qJ7whr+AAmspq037bREQpm+UnMAYRa5UKvIepkReuWYs/srvJX:EifkFS7Nrmso03FpwYsxvISkO/slvHf
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral5 behavioral6
- Target
  
  uninstall-查询1205.exe
- Size
  
  23.1MB
- MD5
  
  3b3c7f5a51c7f314c7d8f6e22c5261b7
- SHA1
  
  e52e72434b53dab50d9da6763bb5688bd0e87180
- SHA256
  
  d31bce852ae81b22853e8152abda04017c73d0acd2fb3027a5800a244d07f72e
- SHA512
  
  6917375bf8c810e8b73d8d11d2b25e5444b0f7711b5528a729128ca0ca22e040c9c237a5e5d9447f4c88b881aa1aa5a77ea9b7767d5ca79dcd68c5b6d2a0058a
- SSDEEP
  
  393216:cfEIHdtmFbNZwY5C82CUegQQVctb6A0CigulHbG0S8ZMvZ2:cHdkLuY5YCP06m/CbuBhfMvZ2
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  表格-uninstall.exe
- Size
  
  67KB
- MD5
  
  63d3c299bf6192a6c627c3092333ae77
- SHA1
  
  a661cb7a1e16af2e9385860baf5b9ab5bf3982a4
- SHA256
  
  531e5806c4df096d9eea5f9e98b2ea67ba2b5dae88a96879c986698646b6f223
- SHA512
  
  d19a0b4013452094ee9105e07f61db65efd08327c90e1d95767c7beefe921dfcd51c892ed880e211b2f4c9d31d905accc572f68e6add66a4568c6f2b99938350
- SSDEEP
  
  1536:WwMNhzHy/NTQt17OvUo9OMarkzer/rdX:8TST+Or2r/rd
Score

10^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9