cobaltstrike | 487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Sharing

Copy URL

Twitter E-mail

General

Target

malware_samples.zip
Size

19.1MB
Sample

250416-hgykfstlv7
MD5

d8e816c76ab1b9bc76e73b1aa0f88f2d
SHA1

da193bad12f1b79f8c938d62e8029ba948433859
SHA256

487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c
SHA512

5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a
SSDEEP

393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Language

xlm4.0

Source

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

- Target
  
  virusshare/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287
- Size
  
  5.7MB
- MD5
  
  0a2d1ecedf3f79754aa2c18d62e75287
- SHA1
  
  4dc6c7ad46c152ee6ebf26488fd5136dd9acfa4f
- SHA256
  
  e800fce6aadc7792b912abbb693aafe0905a5ab52bc92de9e2a50089de312be9
- SHA512
  
  00be04178ca0451634ce16e6b5348b768e0bc017dc8b5c6fd9fef1a7110a305b0fa6f240ca486e76f8b13c5e6aae6a416229c63750fb5a98230fd740423fee4f
- SSDEEP
  
  98304:hemTLkNdfE0pZaN56utgpPFotBER/mQ32lUW:w+156utgpPF8u/7W
Score

1^/10
behavioral1 behavioral2
- Target
  
  virusshare/1/VirusShare_0aee78510c46e3a200b6bc21ac1c954d
- Size
  
  633KB
- MD5
  
  0aee78510c46e3a200b6bc21ac1c954d
- SHA1
  
  aa82dabf571edf16022381f9795376370d4ded7c
- SHA256
  
  c7d63abc749b1f4e245bd377c11ca5857735491eddab5c176ae99a3b7bf9e0ca
- SHA512
  
  ff963b0d7f3b90c5d261c101d44c6b8d595cd809ae9e8378fc85d0442d2322a6cc3899a9ec4d2d6e662de32879120a5ba07bb883a20cd2003618aa69f2806117
- SSDEEP
  
  12288:Px/w9Fmh+HWMxs+KuwetXwuV9W0P5qUKbxqkSnY:PNAckHWCsZulAeRP5VKtqk4Y
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  virusshare/1/VirusShare_0fea640a7da27f365b3675f73626b9c9
- Size
  
  937KB
- MD5
  
  0fea640a7da27f365b3675f73626b9c9
- SHA1
  
  fd4825f244e9c145486cb6930ad05695b9972668
- SHA256
  
  64af94592f6707505fa6f42b58776c3635706a414e6362a92f707df84627679c
- SHA512
  
  c9a10288762f3f5a3fdff17f8dd8560e7a884f1b83f405c2e85c6c86e42f69a30841c13aa0f2ecfc55aed42995d7aeb8fe40415e423ed0a306d2e7d00883dfbf
- SSDEEP
  
  24576:h3zS0aqbCrxgFhFSQVB5DjDLG6/8otVBTN9s:K9Fo5VLDLGwTBT
Score

10^/10

ta505
- TA505
  Cybercrime group active since 2015, responsible for families like Dridex and Locky.
  ta505
- Ta505 family
  ta505
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  virusshare/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9
- Size
  
  182KB
- MD5
  
  1ba8249d8503c0cf7bc125588c43bef9
- SHA1
  
  eb473c845c7474010ff35a3e8a169a9b6b9e5ebe
- SHA256
  
  a44031feb2a71980a0980377c8f7b6f3b5b9dfa0f708556dd420be323c7e1a38
- SHA512
  
  b5421ca474e8ccd30683b90a83e98c6ba74c8418201aaa923ba6c7805ef724b37dfabb74cfedccbb69e3fcf923635f64faa406f280057404f78957df3d840c8c
- SSDEEP
  
  3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBU9asiv8Oc7V:9NO2k4PF7tGiL3HJk9rD7b9asiv8dZ
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral7 behavioral8
- Target
  
  virusshare/1/VirusShare_3cd9a967b67fe69351e390195ca7a430
- Size
  
  32KB
- MD5
  
  3cd9a967b67fe69351e390195ca7a430
- SHA1
  
  4e7f309d283182d76377ad02616a6a5933cac649
- SHA256
  
  e96e3b90d9483a2e463fdda0edf27310ed10fbdb8a8b920c6480ca93bb2e1077
- SHA512
  
  ffe9ffe8555ef0b914bdcaea5b50eb501c4b0d03726ab6f2baa0e5cf6875d9b0ac735679dbd03810d3f03905402f382bf32e3227bd2a11c0eef173082cb02273
- SSDEEP
  
  768:XDNivfrO+Av3qpOCy71ShZ2/p1oaVBV2iKL2GmqBmmSE5fXuMZmwgCLWar8v:XB6zrAv3qpOCy71ShZ2R1osBV2iKL25p
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  virusshare/1/malware
- Size
  
  5.7MB
- MD5
  
  0a2d1ecedf3f79754aa2c18d62e75287
- SHA1
  
  4dc6c7ad46c152ee6ebf26488fd5136dd9acfa4f
- SHA256
  
  e800fce6aadc7792b912abbb693aafe0905a5ab52bc92de9e2a50089de312be9
- SHA512
  
  00be04178ca0451634ce16e6b5348b768e0bc017dc8b5c6fd9fef1a7110a305b0fa6f240ca486e76f8b13c5e6aae6a416229c63750fb5a98230fd740423fee4f
- SSDEEP
  
  98304:hemTLkNdfE0pZaN56utgpPFotBER/mQ32lUW:w+156utgpPF8u/7W
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

UPX packed file

TA505

Ta505 family

Loads dropped DLL

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v16

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12