Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 4545, "SleepTime": 55000, "MaxGetSize": 2098751, "Jitter": 40, "C2Server": "138.68.79.95,/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6", "HttpPostUri": "/messages/IgTsSe2N7hV72H5tmL7bVrTR", "Malleable_C2_Instructions": ["Remove 1190 bytes from the end", "Remove 12 bytes from the end", "Remove 397 bytes from the beginning", "NetBIOS decode 'a'"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\bootcfg.exe", "Spawnto_x64": "%windir%\\sysnative\\bootcfg.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 11629, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["CreateThread", "CreateRemoteThread", "NtQueueApcThread", "RtlCreateUserThread", "ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""} |
Source: to.exe |
ReversingLabs: Detection: 36% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 72.1% probability |
Source: to.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: to.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Malware configuration extractor |
URLs: 138.68.79.95 |
Source: unknown |
DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa |
Source: to.exe, 00000000.00000002.2913963149.000000001B4B4000.00000004.00000020.00020000.00000000.sdmp, to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6 |
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6. |
Source: to.exe, 00000000.00000002.2913963149.000000001B4B4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6Cryptographic |
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6b |
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6h |
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6p |
Source: 00000000.00000002.2913255827.0000000002210000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: 00000000.00000002.2913371456.0000000002270000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon sleep obfuscation routine Author: unknown |
Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: to.exe, Program.cs |
Long String: Length: 311752 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_0223C280 |
0_2_0223C280 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_02226B38 |
0_2_02226B38 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_0223CBF0 |
0_2_0223CBF0 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_0222F1A8 |
0_2_0222F1A8 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_02230E64 |
0_2_02230E64 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_02231F9C |
0_2_02231F9C |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_02231528 |
0_2_02231528 |
Source: C:\Users\user\Desktop\to.exe |
Code function: 0_2_02270000 |
0_2_02270000 |
Source: to.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000000.00000002.2913255827.0000000002210000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000000.00000002.2913371456.0000000002270000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: to.exe, Program.cs |
Base64 encoded string: 'H4sIAAAAAAAA/6R8eTyU6/s/Y2Tfy3Sqgw4qoibOsVXGvjSGCM1RSBNCmMRkzz7GMiRL2YaypCxhLFnHNiZqUoiOlENJKaM0Zc3vfoY6n893/f1ev3/mVZfnfu77vu739b7e1/Pc9zP5rU9um7q6mBIt6+BYsoefu4NSt29ycX69zlysEqO69ukZ82Tqzuf3e3uEBTDgr4e5V/KLq83Bv1ygn0jw8/rQrq/oHiyme2xKLfGhLTu5okybZfygYo/ox639/heuzE6dnpAtKF5Z3dehelbtnGh72oQQ+rjf+4lHPAr3v+O7/p6P8pk3e7amiVJUn2Ht8V17YiLtuwNzJtC36kW2sYAw7X3Gy89Cu9z2C9xcPG66/KG74fI2j1irTOFShvu0RVjUZ+c1Dc9tCUtfPwvr2HxJPGF8C+9wuOxYzXjFX0uvdzx7KiBn7sfz4py5kpfeR2jMtNJK9B0XT4MLWE9zP9c/XcyPuHImk/DJzM/9GGdaf5tBE/wT/ODM/c5CP+C/Fn4b1zl8svBzd3Ix9191dkH78Z1yMT+74Y2NtuDn8sZ1Fzf+qxOK5dzqiQ3BnR/84ZKjq7n0pv84P7st/NTD//mvi/Zld3v3f/773/7cvOiu/K82m3MOElb/fYsZ2uivpSQHl/5L5zbndowzj3+9LtjFXHKG/hxeOhPngiYDm8dFdwcK+MPps/923Q4Xc7WZgRcSNeB+3J5u4DqCuwMC/MHJ9T9eVzPTvXG/X+2BTeCyu4Mp+IPcf7pObYY+KtDyPs7lRtiGDzj+W/5P1yGnf5+03dkO/5gPr9fT5j6SGNi5s5DdorJoN3O5YGj30Vtaal9MPu4auEcZjoyYpEyfvybahxy8eG36Srt0y7Frib+u5c7GdCo8MW193NKMEUBVPHxztjJRrNQ29eT5fWMiXLpFvygEW7W2kIp+FUIs88Xj3v8lFjv94LrAHq02l11q6/0y6rc7/bvxxwKMWg9dpsBon+7cmsgrkMd8+vWZQCf2jfjKs9HFDzFNOR+ffHi/u+1G43mKWFdg5x6fV5I8YWe8F47Qmy538f9Z7RVp9min0dbbZtw3r1Mpn9c83z0PxR2vlD48aI071xcm+Djw3kkR8Vfcgl4fjZ8W8aU37PGdbNpFvtfxRA0pWznpxrv3bVLDJ2ktw/riNvlh3uXoKLMTendfXRb6lD/6TKapZsxv4lc90308r9+UPI21bt/3d8WEg1n6dskvGsVTjzS6h845HJTvhXxaC7eWtvpQp+rwdyavy4dbuuavyKIM2wHvrUQDe8UOkaITlGYC7bdQoyuiGU70ZiG5wQ4hvfnjjYRjd0v6Yfi/USYYQ/GXzVY18m8amL0gtsTnpIt7OswVJD0jDJwcjapjygkMeOKEO1H7/pW0GqJO+ziylduyjf9SdJasNkE3/+m3RGHcyWAK4/Ue0yWmZ66xVfvOIaao9ftxI2psekAgHH9CWvtiXFahIE9NHvf39SfpPjz4wWp7MuqJfleHiPbDmIW1lmhyvCEJjM/5z7Icrr88JobUdrxun+5MuVsnQJxYRaa96t1RIHvSPjb9mCgjqCQ2EWU3p9QjQsU5qf32el3KcCUlY2wr7XX2rm6eglzKMmkbFnfrsG2WE8bI3iVNEG/BdfCMPy3XCcXvjortpmpkaCX3MnflnZjdWVyJF1px27mm9+DOgE2vicYv9jzw6T22DNsXhdzaz7ztCQvTuFHKgXiVz753e2XUJofYc6UVc7xe2BxNyvS8YAnzATdv4MWyHJgBr0t3rY752/pdtcJBPmTN8bDBDjA+k4WV+PZJ+vfbGEc6G35ukBQXrnNqJX+itLIZnv34eA9Vq7ikopNWkPdtpaeIYLbSu11y8jW5Yeujm9603OY4VM1148UU8fyaNPYcpeIZN+4UshhVEwNs0iW9tHZ7/g4R7ocP44tQNbeBTSaPjPpb/1oHL2m0K7Ap/sBn34XeXcqTRe9Vj7uWwHEXkOXxKidv3cV7Fhr6M85TYHr0w0PI+/tUjlPhvTKwyRhobm3Q3JR4vM4Sf+JqCeDq9S0d8xGyGGE8awfGB8YMklehHxxGxsWrXBYU9jai8tm3Z0sw2k/nXF1efyJ7G72SElpOp7bObX1YRymSIB9EFFUKCl8woqIbWRM71mZrdiNCI3cTjKjacN8d6AKWp2sCM4krf2m1O4vVtRIhj3kA+3pO0isqifv6ZzbXrYrsWmF7R2P7qL1/JlOFz7wwCSK8Pm6E6fakHKxBXrQRPOd3R7rdKPLgXN0X7WeFxrbQdfXgOiNd1PmxmTaqiWp2s5BTGsGIf9CKgX8ssXZMPLkkCXNJo0rSJ4pXyf9+g9It1bvdSQ67LO4lT6vV9/bMvDzk92l6j9ByX2Vy3X1d4guzc1Z3rvEGf7a4+5mekuFEPMJ2T7OiWw4Pa9V3T59Hr/S3XWf7L3542iEi8 |