cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

master.zip
Size

68.7MB
Sample

250217-zfhahstrt2
MD5

430c9ec774fa02e90af01e6880c915b3
SHA1

f925bff8f027abc126773cfb809098a364f56de4
SHA256

e3bd83b61c2deec0f5d6febbfc891be6fc52d2b546bafdf9b182032d845805a8
SHA512

8d6a8800e9ed06fc3e0036c1f31e7f3b1eced872d24d0bb21bc98c6b58e9b2eda04629a11880faaa903961095b53e222fa9832c31fbd50f39d9d27ee489aa0c9
SSDEEP

1572864:D0FzHvUM/3H+Re+8WIdMNq9N8b1sYdpHm706jbpQinFwkHgqzdvzQXN:D0FzPUM/3H+Rd8WCGmAshnFvdsXN

Score

10^/10

cobaltstrike kpot nanocore 0 backdoor discovery execution macro macro_on_action persistence trojan websettings

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

http://job.softline.top/banner.jpg

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://job.softline.top/SCHEDLGU.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://marc.optimroute.com/tlztwf7

exe.dropper

http://demo.madadaw.com/wp-content/tmp/ttftg7evqv

exe.dropper

http://jongewolf.nl/5oyh89lgev

exe.dropper

http://demo3.grafikaart.cz/b0jilry3

exe.dropper

http://cialgweb.shidix.es/pjob6i3

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://rdweb.ir/jko_vkzlyc_v1p6jev59

exe.dropper

http://mercedeslangha.vn/tro6fqd4_epbfymyjz

exe.dropper

https://cardealersforbadcredit.net/jyxxcv_82ibravt_k7nwl2nu

exe.dropper

http://kosolve.com/ggv_ejwpcn

exe.dropper

http://denis-99bg.com/iti_0vuy_f13

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://hnw7.com/x9zlw7/

exe.dropper

http://mercadosonntag.com.br/sk2vbv3/

exe.dropper

http://hellcatshockey.org/g6wqbef/

exe.dropper

http://tecnauto.com/xuo6/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://liarla.com/rqajqljlx

exe.dropper

http://espasat.com/1ybh45y

exe.dropper

http://latuconference.com/wp-content/uploads/vvl9xhg

exe.dropper

http://dirtyactionsports.com/vvgr4dva

exe.dropper

http://demign.com/pgt53cb

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://johnnycrap.com/ho1ph0njd

exe.dropper

http://kids-education-support.com/lrl15cy

exe.dropper

http://tortugadatacorp.com/k3y7idp

exe.dropper

http://realitycomputers.nl/cx2ibxr5r4

exe.dropper

http://jaspinformatica.com/sdl8s7hg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.nurserylk.com/4twenjw8

exe.dropper

http://www.afubiagroup.com/xqob5mt

exe.dropper

http://www.mijnlening.nl/0tvfimna

exe.dropper

http://www.iddesign.com.ve/litybohwy

exe.dropper

http://www.surewaytoheaven.org/jjmegtilz

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://hsquareddesignstudio.com/bibhgh/

exe.dropper

http://backon.jp/jhurz/

exe.dropper

http://fyon.de/n1rjbcn/

exe.dropper

http://dominiki.pl/forum/akfa6l4b/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://shophousekhaisontowncity.com/pl

exe.dropper

http://www.mygidas.lt/m

exe.dropper

http://www.natuhemp.net/m

exe.dropper

http://c-sert.ru/assets/images/zim8ozmy

exe.dropper

http://nusantararental.com/z4azh

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://habarimoto24.com/nh

exe.dropper

http://fenett2018.com/dobgx

exe.dropper

http://eastend.jp/bl5kfa

exe.dropper

http://bemnyc.com/u8erijeq

exe.dropper

http://abakus-biuro.net//a9zqemm

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://japanijob.com/uuc8iefifb

exe.dropper

http://103.11.22.51/wp-content/uploads/yoarkx9

exe.dropper

http://13.126.28.98/hpwxcgczbx

exe.dropper

http://159.65.146.232/ugitr4t4l

exe.dropper

http://159.65.65.213/iz1cc1ghz

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://wonnabegonnabe.info/vVZM/TOj/Paletots/1915_07_03?rectifier=IcDrG

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://job.softline.top/loadinglit.gif

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.189.58.222/x.exe

Targets

- Target
  
  malware-samples-master/2018-04-Common-Malware-Carrier/banner.jpg
- Size
  
  105KB
- MD5
  
  e049d4200fd95b35b38cc73af5b9c0cb
- SHA1
  
  90db33ee4aa9c3921e2beb8932ef4d5cbabf8117
- SHA256
  
  697bed3630e918b0d6a73d7c251cdd1c7dc62db0445f89224a05747091281d02
- SHA512
  
  cdf26c81f8e48c7adc144b9d317092c05c982a085900ad1486c2006ede0eded8159c7df350ea69622c453bd5f5debce243e812d32ba48d49cdfaadbf374dc835
- SSDEEP
  
  384:+W8aCyjzFdozPEFk8knpvZAN4VS7vZAN9i6rGspmmBckDl4sfnZiqYUDnMNLBY:+W8aLQrpgngGEcDsfZINLBY
Score

4^/10
behavioral1 behavioral2
- Target
  
  malware-samples-master/2018-04-Common-Malware-Carrier/d347e095369aba294f674331054df8469b12d5e3260deb168827142d862f88d6
- Size
  
  142KB
- MD5
  
  df55633ede8a7905083f6397513a4af2
- SHA1
  
  0e45b003bf33dc49037e0840a74f2221a10f625e
- SHA256
  
  d347e095369aba294f674331054df8469b12d5e3260deb168827142d862f88d6
- SHA512
  
  ef6a6110429db763921139ff853c3cb156152e61afa203b8c80d14816fd8a90f5a5f3edc3422875590538763f617179a616e7693a5c93e12a41ef6bbe3e49bd2
- SSDEEP
  
  3072:XnTQ/2Ml3BNjuz5ri6+Em0GncPoKSDJ4nVF6G:XTQ/24BNjwriFyPo2L
Score

7^/10

discovery
- Abuses OpenXML format to download file from external location
behavioral3 behavioral4
- Target
  
  malware-samples-master/2018-04-Common-Malware-Carrier/loadinglit.gif
- Size
  
  271KB
- MD5
  
  b7dc4c7246f12e06cfbaf77a5f29f1ef
- SHA1
  
  15ca8986f40602b55eecbecfa1d6a10529d84889
- SHA256
  
  c7d56e373626b0f0dcd81078a6a2925016757cd8bfcba5afd4ec7eab83e055cf
- SHA512
  
  23b63904bc33bfdb557883dd1e5c9b18ee845de96c2ffd18c7a02ab09bcd55b2383cd499b55eabd741e6e845bb23f5c2b6b50f3428738ecbafbf88d7e5fbfc96
- SSDEEP
  
  6144:Y8eaivieAEfHNH3sLxfJS8CO36j/HmISdu2dzy8WqHtObjn/dT0itlVMz:Y0iviKHNXsLxhRqTGLd+OWd4fz
Score

10^/10

cobaltstrike 0 backdoor discovery execution trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral5 behavioral6
- Target
  
  malware-samples-master/2018-04-Common-Malware-Carrier/payload
- Size
  
  202KB
- MD5
  
  9d7376f5ad1b39ec08cbe2a8e0e886b6
- SHA1
  
  d5f5dc54861e1ea7d7a9c03e31f4a8a5c5b08bb0
- SHA256
  
  8cdd29e28daf040965d4cad8bf3c73d00dde3f2968bab44c7d8fe482ba2057f9
- SHA512
  
  f6d2b411254ef806398f1b319d230dc9776082c97db87d3d8dd6c1f44532063b12a6da0311a7a50dc3075726956ceecee2e266132b6e419e497b6951d4d7c425
- SSDEEP
  
  3072:Pjh9N4a1j712h9Td2+1lxvTeZna8xUhUbT15ad:PjdFKdoSxvixTxUA
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  malware-samples-master/2018-04-Common-Malware-Carrier/share.png
- Size
  
  1KB
- MD5
  
  2c9f13f79f1dd88b9b5b1ab3a6e2374b
- SHA1
  
  fc7f2e1ad64070be4d44b583155b2ec2af18cb03
- SHA256
  
  acec4a38d7b5ef95a2e33dce721c5693e7da966b751ec45bfa3e39b5181c6b19
- SHA512
  
  f01fa0a0549a9a26a41dc9ab4f22052d92a699bb7bbd505710034878335ff3e42c624635691e7089fd12d38eaae0613413350f08905a56078b86852842e564f6
Score

10^/10

execution persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809/99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc
- Size
  
  212KB
- MD5
  
  16ba8f5d604b4b9a366ae2d5b2107e68
- SHA1
  
  878f05a0ddc78db92cd844b5d13be93e7b25f343
- SHA256
  
  99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
- SHA512
  
  31544b5590e13df49138c5ae80a6adc9fdce4ea309b856099870b453e9419c8c05f433e18cfdf749a54798468502d21b660a9c9eb2bc02df7da31543d703e873
- SSDEEP
  
  6144:FvLzpvvAi+VLE5DnxWCDWSQB2Zye7+rXMl:pzpvv+pE5DxWskrX
Score

10^/10

discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral11 behavioral12
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809/99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.macro
- Size
  
  52KB
- MD5
  
  1f693871d398cadf3964aea573dfaff2
- SHA1
  
  540b783cc57d93b3778bd5a402ae4344ba755df2
- SHA256
  
  9c67a05a0e6350069a7e6d201c971dd11c63fdf548a4d3b5dbcc4fed773ffc5a
- SHA512
  
  24b4c16fb7d35afbdb4e3a6b6d414bd58a29db54c94bf303e70e2ba7714cb41d0c0c9c59c2525bdbde81f909c33610815b98a280f3ac2cfdf20b0dbbfc5221cc
- SSDEEP
  
  768:lAstZjv4RYqc5RXy/OeXz9Fs2A1OCeJ8+WGAMeQZqDDvT8NidjUFp6ZYLBbfkBk0:lAcvKUzUWbjo69Z0x/R4lxGe+I
Score

1^/10
behavioral13 behavioral14
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/026b02380e79af4b1b0282c2473828c6fb9c76a421bba09ff2019415c6c6976a.js
- Size
  
  19KB
- MD5
  
  6dcd01653c561fb0d8a701de362cd37e
- SHA1
  
  8b9ee66a192dcbb17cd9cb2173da38759aae8ce8
- SHA256
  
  026b02380e79af4b1b0282c2473828c6fb9c76a421bba09ff2019415c6c6976a
- SHA512
  
  9b6bd49df73551ab6c5af364eb7ff120cfc3e3f012fff9ce03404d9cc72b59c61e2d561f742f39607429d9581b152d4d04ee2d513f6f6e050e6d2c6e2aa2868f
- SSDEEP
  
  384:w4yTz0OTr7de38Tnz2kIEZUW+/GKPRs0XWhkVErkYH0+8w:wBTz0O/h/rz2kISUW+eqCgWhkVEW/w
Score

8^/10

execution
- Blocklisted process makes network request
behavioral15 behavioral16
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/0638e4dfe95bdae94a751404e4c91adbb72a57967d4443cde3e4abb16bc293b0.js
- Size
  
  20KB
- MD5
  
  179994df918fb01df25f0f1aef4f6029
- SHA1
  
  ba884a8bd426c9bbee359fff40cb751bc8cf87f0
- SHA256
  
  0638e4dfe95bdae94a751404e4c91adbb72a57967d4443cde3e4abb16bc293b0
- SHA512
  
  ad50a2c5da2c0fbc1b622527d0dac3f15ab5d5c34314653ce4e2e17f59cd4c53d34c62a45108ed64b6e4dee41a1582b578962564e0dfaf70d8130cf7a423c38f
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V2RZe:3irYIWcwT3oZe
Score

8^/10

execution
- Blocklisted process makes network request
behavioral17 behavioral18
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/0cba53c366aeb34bd6dfb1ed1f9b9b7d8ca63dfff89a3d93c0e8b834a1e976e4.js
- Size
  
  20KB
- MD5
  
  1e936605713ef992c4af2bba8eb27a53
- SHA1
  
  084cfb6541fac172ccc218753176094ae75cbd8d
- SHA256
  
  0cba53c366aeb34bd6dfb1ed1f9b9b7d8ca63dfff89a3d93c0e8b834a1e976e4
- SHA512
  
  605054293de4698f857a2e675ca774ea5b6e1a3eb23823aad9d59075a0ea78b356e0a3897faf159307caa9ec1cd76b99c3c443b0292196fb134f34b163ab97f0
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V28:3irYIWcwT3d
Score

8^/10

execution
- Blocklisted process makes network request
behavioral19 behavioral20
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/20812b4ffe8a022d8eef35476095e385bf06d9a8675aeda30416093f9fd63d73.js
- Size
  
  20KB
- MD5
  
  a0fcff0ed0a00014d2d095437db14a40
- SHA1
  
  5de8fe554676b0466a496ddb74e78352aaa9fb52
- SHA256
  
  20812b4ffe8a022d8eef35476095e385bf06d9a8675aeda30416093f9fd63d73
- SHA512
  
  a1ef140d52d60973dbbc4987fecc95a6ebd21503a14a5b7e208ebf2a65b6cc3e5b5e3621d57a16fe4f38545b708767e4b1db86931a054813defaa82b828bd601
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V2V:3irYIWcwT3Y
Score

8^/10

execution
- Blocklisted process makes network request
behavioral21 behavioral22
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/21d43c6b03d0e9827111572c9cbfa499a6ec3af4297a4b57db04f3e8b480acbc.js
- Size
  
  20KB
- MD5
  
  c924353d0ac879787080c82854096aca
- SHA1
  
  425bac9c21cf3634b81da839a342da4a2f5bec0b
- SHA256
  
  21d43c6b03d0e9827111572c9cbfa499a6ec3af4297a4b57db04f3e8b480acbc
- SHA512
  
  375e46d8c50c2587a318c6903aebe4127e174a7030504a28bd4e666d37fd21e73dc8eb41e649d6fd3db3158d61dce512a078bf3e956aaf84e2c8d8d1ab2de658
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V26w:3irYIWcwT3E
Score

8^/10

execution
- Blocklisted process makes network request
behavioral23 behavioral24
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/233516df74662f82d61ae8025b6371ecb41a81359bf6106d15d73391e65126fc.js
- Size
  
  20KB
- MD5
  
  737904f35fcaf504a20d910fd26702f9
- SHA1
  
  ce797a8404e68d61040f82c33dea317c20168922
- SHA256
  
  233516df74662f82d61ae8025b6371ecb41a81359bf6106d15d73391e65126fc
- SHA512
  
  daf053530f3b64bd6f239d7723843aed235e9c64ce249470bec89236f09a10a6ad174f54c5b746ba636977c2f6cfba487e2a30da37532b2a20ed538b398fc0dc
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V212:3irYIWcwT3m2
Score

8^/10

execution
- Blocklisted process makes network request
behavioral25 behavioral26
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/45e1a8582716c51212a45df8f26298cb8dd9769d5fa5781014ef72e4b22881a8.js
- Size
  
  20KB
- MD5
  
  db43110b240062155e7e8938c58c9766
- SHA1
  
  72f6afe9c5191f21e627dcab84bb9e236c88b06b
- SHA256
  
  45e1a8582716c51212a45df8f26298cb8dd9769d5fa5781014ef72e4b22881a8
- SHA512
  
  a9eb1c799df4f2d2d5f238998a6a1c8aa5939ffdd2e28d45bc8b35a9cb92dbcf429a5a3a0e27be98a81d2ce3621c011bd9e954a02a1f4fe2ac8dfe2db29758d1
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V2wXw:3irYIWcwT3BXw
Score

8^/10

execution
- Blocklisted process makes network request
behavioral27 behavioral28
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/56f0260ad67596e08a5017b0c62f061062168a1bed7d0f38e7fa585948451d62.js
- Size
  
  21KB
- MD5
  
  a8280c950e5481916f196059bdaa6bf2
- SHA1
  
  de4a2e8994955b07ac94a74b331787a57b7678f1
- SHA256
  
  56f0260ad67596e08a5017b0c62f061062168a1bed7d0f38e7fa585948451d62
- SHA512
  
  64a94f67630a01dcef5cda19b8ed83b0d6b78153719eb0d7e00b8f66e4dd4f01120c2771eb782af6f941891949d04e9890434bebcf2ee33d363780678b8c22a9
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V2AVyO:3irYIWcwT3jyO
Score

8^/10

execution
- Blocklisted process makes network request
behavioral29 behavioral30
- Target
  
  malware-samples-master/2018-04-GandCrab-Swarm/dropper-javascript/636897d92ddd9ba0e127366a3d4c816a98275d2d1f60016bc05fd3e289b16dc9.js
- Size
  
  20KB
- MD5
  
  820432d763ab0790cde4f5ab88a3e5a0
- SHA1
  
  aea6ab97eab3e34d39310bd1bfb7100f112ab302
- SHA256
  
  636897d92ddd9ba0e127366a3d4c816a98275d2d1f60016bc05fd3e289b16dc9
- SHA512
  
  d205cbb8a456fbc1020732eb3913de3b968a95f52e915e386b99dd0c01edffe8a58aa8f4d58ec9cdb5f70dcce4b675fa1f385a69a965b9aa9ebae271b6fda307
- SSDEEP
  
  384:QSdSAIRGr07HPp/YuoJqT9PWcrM/tBv5V2Rk:3irYIWcwT3yk
Score

8^/10

execution
- Blocklisted process makes network request
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Abuses OpenXML format to download file from external location

Cobaltstrike family

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32