cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

2a69f324a5524c24e3280c7d6e573ee0854ae8a6e12efe42f1c8cea50999ba74.zip
Size

26.3MB
Sample

241220-d6yvasykhy
MD5

a051137bf97fd34edbd1a7975d2deef8
SHA1

a90420d3961176cb06b32c2e0ea06a8156702767
SHA256

2a69f324a5524c24e3280c7d6e573ee0854ae8a6e12efe42f1c8cea50999ba74
SHA512

9c4cf1386974f32accaa65cc6dcd7e810b459a80b67b2e323719b0123ecd4868508b8d8e06caa9b935294cbdf88ed88f6794bdc324c44f13f0310c44b22ce3b2
SSDEEP

393216:/VEsG0s5H3Q9ExQI17Y2jc+KTwsNN0Fdic3n3ur22KLiGqt1kVAeN7aKC1:esG0syEGI17Yj+KTwK4n3O2kp1oAX

Score

10^/10

Malware Config

Extracted

Family

lumma

https://commisionipwn.shop/api

https://stitchmiscpaew.shop/api

https://ignoracndwko.shop/api

https://grassemenwji.shop/api

https://charistmatwio.shop/api

https://basedsymsotp.shop/api

https://complainnykso.shop/api

https://preachstrwnwjw.shop/api

Extracted

Family

stealc

Botnet

Workbaza

http://5.35.36.211

Attributes

url_path
/cadb6378d4b16104.php

Extracted

Family

cobaltstrike

http://79.110.52.22:443/components/as.png

Attributes

user_agent
Host: tgmcheck.com Connection: close User-Agent: Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

Targets

- Target
  
  frhasdtr.exe
- Size
  
  5.5MB
- MD5
  
  f6c0f0e730b0dccf2dfbd2bca9afd415
- SHA1
  
  8c930bc6004a3dafb7eb8d86b16ab5a59fa5e94a
- SHA256
  
  1d43e78596a3bdede8c56902959b4f2b08ca7f75200d22f44812b5f216631d5b
- SHA512
  
  d2864e6465583289d1ba771ad7c34d66c62d79e00c1549ce058df958aed12cf973242482616d0f7a2f79f44eae30271c8a0d3e0a7c2d4baa27ecf06938069c1d
- SSDEEP
  
  98304:DD1Ce4ecqudN79vLUjE8JJ6Y2cj0SSZ/Ifgmb2w8YeFQZ44spkBJWaeS/Wi:DD54/qg79oA6j0SSiDbBeC6m37z
Score

10^/10

lumma discovery stealer vmprotect
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2
- Target
  
  lumma.exe
- Size
  
  6.3MB
- MD5
  
  68821531a37ba7822fd5d67019733b6b
- SHA1
  
  b53de7324804e2775d46f2ec9a56627d706eb647
- SHA256
  
  39551af6337d3dca0ed2212e19e7b6648c8d4fca343c61a27e415602f321ceba
- SHA512
  
  5e249f08aa91641c00f43fff22b6d5d8c714a5b3e8ffe4dbaa8b223c5c65588cd0e821e3b98297cd638096c5b1c768099b5c8b9c368cefc951248adf1cf1616c
- SSDEEP
  
  196608:6qwtqwlk+lDCjExVbXZlL8UBk8Ocp0J89voSPn0:ik+aExVbJhbfYq0
Score

10^/10

lumma discovery stealer vmprotect
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral3 behavioral4
- Target
  
  picturefonts.exe
- Size
  
  12.1MB
- MD5
  
  269a751b0c6d68cc39b2267c1592dae2
- SHA1
  
  2ead3153069297c67bb33c7a83e63d2721aa9f4d
- SHA256
  
  319d1dc217b7e83a85dd62cb2c066156ba5579087f11c991a99089606979ca28
- SHA512
  
  d8da3bf11287c5168544c3d39460b428252dd1f60f7777a3770bc537f89def019078f46b9695a78338bc227e67c902494912d36dcd046e2a514bd0bd96107929
- SSDEEP
  
  196608:K4V6se4m7QH0RD3noXrrj8dVtxqVjDdLMmGEMGHIr915DnjdZd:K4VtH0RD3oXryDxa5LBGlGHIrT5Tx/
Score

7^/10

discovery
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  rundll.exe
- Size
  
  1.6MB
- MD5
  
  b6f38a50620db20ac5c231f924f3b4a5
- SHA1
  
  635d79bbab78af66e561e2146ed0f5926dc886fb
- SHA256
  
  24630db019f0de35f81c0a712d62ed04db084cdd287ea803f588e0f808186f98
- SHA512
  
  bf6fa80d2e973faab2bf8cdf35aa7a4975b511fe2175a57b4ba86c670a49fc17a8c2aa6389578df1cf6a065effc0057384873ff6215eca0cb693e77a3f8272ed
- SSDEEP
  
  12288:ehJK5SJT91q5uM97uyuYpxwu5T1v+rMORuIDJI4yN/6YYJNtuX3e9ifzRBexvVIx:kJP3qeyff5k+5/EP0+9ue52kaX58oj
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral7 behavioral8
- Target
  
  setup.exe
- Size
  
  6.8MB
- MD5
  
  acb755d083c876f6a80105c17cc61754
- SHA1
  
  8ccfc2b30402e76a59ed07873b0ccf589728fd22
- SHA256
  
  b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
- SHA512
  
  2d26da0b24c61e05a66583b548672f00b4351c87669fb8b7e4e71a73da4a2c0e470d7c6aa8072976fe8ca2ac5ea6b75e41f54b426c0d1de06aa118a83283b70b
- SSDEEP
  
  196608:DzSpVt4hhiIbZg4T4hac7p6eDcGRY9Dc+/7/MS6a:DWp74hVbehacQeHwDc+/7zb
Score

10^/10

stealc workbaza discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Loads dropped DLL
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Lumma Stealer, LummaC

Lumma family

VMProtect packed file

Lumma Stealer, LummaC

Lumma family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

.NET Reactor proctector

Suspicious use of SetThreadContext

Cobaltstrike family

Stealc

Stealc family

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10