Windows Analysis Report
artifact.exe

Overview

General Information

Sample name: artifact.exe
Analysis ID: 1429039
MD5: a7fcd0b15a080167c4c2f05063802a6e
SHA1: c761d68786ff15b6e991770a8c9aee778dd011e9
SHA256: 9f6ae95b5540d0d6c60e942fa68dee44b2781c58da3f21321f18b8384ab41084
Tags: exe
Infos:

Detection

CobaltStrike, Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sigma detected: Suspicious Program Names
Contains functionality to dynamically determine API calls
Detected potential crypto function
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: artifact.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"C2Server": "http://101.78.63.44:None/UphQey", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n"}
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n", "Type": "Metasploit Download", "URL": "http://101.78.63.44/UphQey"}
Multi AV Scanner detection for submitted file
Source: artifact.exe ReversingLabs: Detection: 91%
Source: artifact.exe Virustotal: Detection: 81% Perma Link
Machine Learning detection for sample
Source: artifact.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: artifact.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.78.63.44:None/UphQey
Source: Malware configuration extractor URLs: http://101.78.63.44/UphQey
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHINATELECOM-CTCLOUDCloudComputingCorporationCN CHINATELECOM-CTCLOUDCloudComputingCorporationCN
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 101.78.63.44:80
Source: unknown TCP traffic detected without corresponding DNS query: 101.78.63.44
Source: unknown TCP traffic detected without corresponding DNS query: 101.78.63.44
Source: unknown TCP traffic detected without corresponding DNS query: 101.78.63.44
Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.78.63.44/
Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.78.63.44/2
Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.78.63.44/UphQey
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.78.63.44/UphQeya
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.78.63.44/UphQeyp

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_001F00B5 0_2_001F00B5
Uses 32bit PE files
Source: artifact.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.winEXE@1/0@0/1
Source: artifact.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\artifact.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: artifact.exe ReversingLabs: Detection: 91%
Source: artifact.exe Virustotal: Detection: 81%
Source: C:\Users\user\Desktop\artifact.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_00401949
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\artifact.exe TID: 6624 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe TID: 6624 Thread sleep time: -350000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: artifact.exe, 00000000.00000002.1705027660.0000000000805000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_00401949
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 0_2_00401180
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_004028E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_004028E0
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_00401648 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle, 0_2_00401648
Source: C:\Users\user\Desktop\artifact.exe Code function: 0_2_00402810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00402810

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: artifact.exe, type: SAMPLE
Source: Yara match File source: 0.0.artifact.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.artifact.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429039 Sample: artifact.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 6 other signatures 2->16 5 artifact.exe 6 2->5         started        process3 dnsIp4 8 101.78.63.44, 80 CHINATELECOM-CTCLOUDCloudComputingCorporationCN China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
101.78.63.44
 unknown China
58519 CHINATELECOM-CTCLOUDCloudComputingCorporationCN true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.78.63.44:None/UphQey true
    		low
    http://101.78.63.44/UphQey true unknown