Overview

overview

10

Static

static

10

virusshare...6f.doc

windows10-2004-x64

10

Resubmissions

13/04/2025, 09:55

250413-lx71lstjt7 10

13/04/2025, 09:52

250413-lv39mstvbz 10

13/04/2025, 07:04

250413-hv884s1vd1 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware_samples.zip

  • Size

    19.1MB

  • Sample

    250413-lv39mstvbz

  • MD5

    d8e816c76ab1b9bc76e73b1aa0f88f2d

  • SHA1

    da193bad12f1b79f8c938d62e8029ba948433859

  • SHA256

    487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

  • SHA512

    5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a

  • SSDEEP

    393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score
10/10
cobaltstriketrickbotxmrig0ono33executionlinkmacromacro_on_actionminerpdfupx

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

C2

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/
exe.dropper

https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/
exe.dropper

http://homemyland.net/tmp/wUHdeBS/
exe.dropper

https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/
exe.dropper

http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/

Targets

    • Target

      virusshare/3/VirusShare_6ad036ba93c94d6976e2d93c7a3aec6f

    • Size

      172KB

    • MD5

      6ad036ba93c94d6976e2d93c7a3aec6f

    • SHA1

      cb098f7a0492454a31f3819a1b7ec143c0c507b6

    • SHA256

      4ee0bf78e3b0a06c35fed0f912db6fabbb5fae13f838cd4132634359ad0d24da

    • SHA512

      525d3ccb7078d6c34287307891023a47773cb3ec94d6e5d54a4c2cb4006be5ae3356238e8fe4ce5ff17767b8326af385a2be735dac8dbe78f10c185c665f7a00

    • SSDEEP

      3072:vw2y/GdyrktGDWLS0HZWD5w8K7Nk9pD7IBUaT7jc5Hw:vw2k4jtGiL3HJk9pD7b+jMQ

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral1

MITRE ATT&CK Enterprise v16

Tasks