Overview

overview

10

Static

static

3

2024po.exe

windows7-x64

4

2024po.exe

windows10-2004-x64

4

Timo.exe

windows7-x64

1

Timo.exe

windows10-2004-x64

10

[D]2024年...��.exe

windows7-x64

1

[D]2024年...��.exe

windows10-2004-x64

1

点击此�...��.exe

windows7-x64

8

点击此�...��.exe

windows10-2004-x64

7

票9254523...��.exe

windows7-x64

1

票9254523...��.exe

windows10-2004-x64

1

考勤异�...��.exe

windows7-x64

1

考勤异�...��.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4x(24-06-27).rar

  • Size

    30.6MB

  • Sample

    240627-ssramaxeje

  • MD5

    d968f62a6d7bb3187c25b1eb53e0dae8

  • SHA1

    3e1c59a45a923b15b7f32f5a1cc246be07b58c08

  • SHA256

    a47ef1b22b4797187294ec207237a8195273dab7d4543d46d5d23dafe520f853

  • SHA512

    b9711c7b8a2fa7fb6257d13738662e3ab381693aa642a68f28f7a705b18e520cfb74d8e88ab04bfa8dd87d45f97bd86366ec5e3f33cb799b1cec833be6d5fe18

  • SSDEEP

    786432:B72Jh0QWV3emCsQFEebPIGRl6XdXdf2zL:B72Jh0CTqaRSXpUL

Score
10/10
cobaltstrikebackdoorpersistencetrojanupx

Malware Config

Extracted

Family

cobaltstrike

C2

http://weibogaming.icu:80/share.js

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Host: weibogaming.icu

Targets

    • Target

      2024po.exe.vir

    • Size

      24.9MB

    • MD5

      a85707d05ff5a760afb050684ff7ec53

    • SHA1

      3e65e8722e8fb2590d6eb51621ac116d9e06e39d

    • SHA256

      f02847218879d4b9b16378ae8c217ae0d767f5a89eacdaa73b9abbe7371dff14

    • SHA512

      9f36107b78363dbc637297b6f0dd395174ed86254f9a0d8a14ef2b73315915591b4e45a26d1601cad2a718d2e5b507a2fce9dcf13b2a95ef1f5c7a593b18eb91

    • SSDEEP

      786432:Jsbf9sI8h2PdCeixMdSC7BMwOY9F2lGEA:Cghws4eY2G

    Score
    4/10
    behavioral1behavioral2

    • Target

      Timo.exe.vir

    • Size

      192KB

    • MD5

      5ec5fd2a7ab1e0d940897a2ae2cbb537

    • SHA1

      98422219f54f90ed0ba93e1d568ff1e57cdbc0e9

    • SHA256

      176e5d0fdb77b787e6ea0622eaffffde1ed810a14393b15f1793b51a57a50be9

    • SHA512

      c2832bb147a1e231e1fd052538802ded7fbf08d563a98984ea94d4b376d4da666b3a6cf4032f609fc2ce5ba3218097a62d0df974bc4dd14c57fe6c3706114ff6

    • SSDEEP

      3072:J6Bu8MeIh9kxFYlCR2zjkYavxyVCve9ehIe5NIgPA9FTJjcUyWU:JpKxFYlCR2zQYMwIOeE9AUfU

    Score
    10/10
    cobaltstrikebackdoortrojan
    behavioral3behavioral4

    • Target

      [D]2024年移动合作方人员出入管理门禁安装程序.exe.vir

    • Size

      1.2MB

    • MD5

      31d12c85fad4c87d200f24834dbdd54d

    • SHA1

      dff64c7fe5060c5beb8d3387f58daf2fcfef42a4

    • SHA256

      5bb87482aca08d98dd1391f7b0f1a394b6a2e42f3ecf212f002f62e2059bd0c5

    • SHA512

      b12ed5e81ce97f9efa3ef1381f892577422517a24724dc977d65e0cc72ee3e2b22dfee21f796c976eb1e5aa2b5b3bbfa017d2100e8787791dad27c6d7d71d374

    • SSDEEP

      12288:FICsXIYPcFFydh2ZkcnahSEiXhxGIknEJMq2BDaok1JyDx:2CsXxcih2znu0GIvJh1JyDx

    Score
    1/10
    behavioral5behavioral6

    • Target

      点击此处安装语言包.exe.vir

    • Size

      10.8MB

    • MD5

      44ce97dc5b3054dfb4999933219887b7

    • SHA1

      23cedb5e66fbc1cf3c86a8812d6189ed3dd88b17

    • SHA256

      af884204ca0845632eb01c3a37a9d5609f2b7065b884500658da60080eaab617

    • SHA512

      e602db55a559e6c8f96d8dc222af5debc0025675d6fcf8e98e89d4efbd65811819d1e6c8c3467576b850ceb25e0891edb1b648e130caf66046fbc643a584ae04

    • SSDEEP

      196608:PB/vhOCUMgKCZFB4IS+9G0eBF/6FLOyomFHKnPdfxxEBB2XCQkfLoaxA4JN1cdDD:PdJOCdgxZFBVeBUFqJbnf

    Score
    8/10
    persistenceupx

    • Adds policy Run key to start application

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      票925452362131助手.exe.vir

    • Size

      804KB

    • MD5

      5adea3ab683a21d39d75b6aab6f9cd10

    • SHA1

      ca614a981a394a88a42d43492b0a737527bff171

    • SHA256

      8719467326ae08e270854cdef37e5ca93f33a7411002b5f61f9796659e91c8e4

    • SHA512

      85825cd5d64018177b66fcaa3506687af49a958d401e2865875233b04b53694c4a973c458965a97db47ec6cbc545c1671135214cdbb8d4fdc705965be69d954b

    • SSDEEP

      12288:9HjaxBmJ3owhLHLHXQbKODmKvg0HTLbCf7cKSyfIxF6YUx6tcJza1:lqBw31LbQbLmKBjCf7cZL6hx6GJG

    Score
    1/10
    behavioral10behavioral9

    • Target

      考勤异常信息统计结果查询工具.exe.vir

    • Size

      6.5MB

    • MD5

      33b53d552861ded63f1c39eb195732fa

    • SHA1

      db3eb7f683fc782b1149b35927c03ec039d80ee1

    • SHA256

      2da3ae187b621059a4e9c2be286d79d5b4e3371c3d2a1cdb2f76f7b895aff47e

    • SHA512

      d5016eaab5b64cd185345163556b4373366b6d048bd0d02e849c86fd2d478968c13db3f789c0c1789a20e141d8f17cc941f0a6b37b2676768b57804e101f9c5c

    • SSDEEP

      98304:IGd53n+zkSfHlHLtSEqtoixB0N5RWgz2yI32w6DU:fbjKlrZSlB0QgzioU

    Score
    1/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks