cobaltstrike | 487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

General

Target

MALWARE WEE SANTAAAAI.zip
Size

19.1MB
Sample

250414-nx4pasxyhx
MD5

d8e816c76ab1b9bc76e73b1aa0f88f2d
SHA1

da193bad12f1b79f8c938d62e8029ba948433859
SHA256

487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c
SHA512

5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a
SSDEEP

393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score

10^/10

cobaltstrike trickbot xmrig 0 ono33 link macro macro_on_action miner pdf upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

C2

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  virusshare/4/VirusShare_4b8eb7fe75f72c1c5c1f80af9cd165d2
- Size
  
  64KB
- MD5
  
  4b8eb7fe75f72c1c5c1f80af9cd165d2
- SHA1
  
  b227eb90323259f6ff11e0436ba03ebd97706e99
- SHA256
  
  55dd85b37566755ea1ffb022030b413d2722120067abd9b298a89a61f4b790c2
- SHA512
  
  6a64a0c2d1c9f825aca460c692b96cf40ab511d81ee3d56f52870fe5648d902d6a3ac6c70cc85c4d86bd6b51a1d72373c75635731b2f354f8b541a7727f4e8fd
- SSDEEP
  
  1536:LYg6BQIewyy7WxIAGWdw3/WEjMTrP4yyh+A4u7sUjl:t6BQhwAxIbp3XOS
Score

1^/10
behavioral1
- Target
  
  virusshare/4/VirusShare_6d2d7d94fe5faab76b3e786e7d810c1d
- Size
  
  2.3MB
- MD5
  
  b66689ebd2ec53c0035ac39262343ab4
- SHA1
  
  540c5e9b8b28feeba3a05cb1d579154e442f8dfb
- SHA256
  
  3085c886924395409bd3e1cd673e463001f9ff9aedf829de843b462f8138cb0a
- SHA512
  
  6e686a6badff204b3aa1e3f5d03a188f8cb9139f553ab33f4632b9d9af1897048e34fd84daa5223c4308ae8837810bbecf9da9e9ae6a2ccb6dbdc60cde72ef44
- SSDEEP
  
  49152:SXdKAVoO2sFEgNEeazOl88uzkzx59ZmLPMfLUnpyLyfZozvhlJRqk8TW44M41JLp:SXVXO0E5zOC8uzkL9+4ElIPl
Score

1^/10
behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MITRE ATT&CK Enterprise v16

Tasks

static1

behavioral1

behavioral2