cobaltstrike

Resubmissions

Sharing

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.11.7z
Sample

240524-q2bkesga3z

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

vaidavidaloka.ddns.net:1177

Mutex

ca6ff4fc9d6b2752fedce063008c697a

Attributes

reg_key
ca6ff4fc9d6b2752fedce063008c697a
splitter
|'|'|

Extracted

Family

dridex

Botnet

10555

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098

rc4.plain

Extracted

Family

darkcomet

Botnet

User

192.168.1.64:1604

Mutex

DC_MUTEX-2WZDLL7

Attributes

InstallPath
WindowsDefender\WindowsDefender.exe
gencode
xHRv8hCk4XTC
install
true
offline_keylogger
true
persistence
true
reg_key
WindowsDefender

Extracted

Family

lokibot

http://195.69.140.147/.op/cr.php/LmsLTZuq9k7Zs

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://1filesharing.ga/clue/gate.php

Extracted

Family

njrat

Version

0.7d

Botnet

victim

kallnot0011.ddns.net:5214

Mutex

360e204e31093d5501377cd62d0c77a8

Attributes

reg_key
360e204e31093d5501377cd62d0c77a8
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

bellzada123.ddns.net:2222

Mutex

d941a381a9a94c94ccba61bb9d36aefe

Attributes

reg_key
d941a381a9a94c94ccba61bb9d36aefe
splitter
|'|'|

Targets

- Target
  
  https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.11.7z
Score

10^/10

cobaltstrike darkcomet dridex gh0strat lokibot njrat warzonerat xmrig 10555 hacked user victim aspackv2 backdoor botnet infostealer macro miner rat spyware stealer trojan upx vmprotect xlm
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Dridex
  Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
  botnet dridex
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Warzone RAT payload
  rat
- XMRig Miner payload
  miner
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Cobalt Strike reflective loader

Darkcomet

Dridex

Gh0st RAT payload

Gh0strat

Lokibot

WarzoneRat, AveMaria

njRAT/Bladabindi

xmrig

Warzone RAT payload

XMRig Miner payload

Suspicious Office macro

ASPack v2.12-2.42

UPX packed file

VMProtect packed file

AutoIT Executable

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

urlscan1

behavioral1