Windows Analysis Report
uA71eQl1nA.exe

Overview

General Information

Sample name: uA71eQl1nA.exe
renamed because original name is a hash value
Original sample name: f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a.exe
Analysis ID: 1502169
MD5: 196c296463a4e3596f031f9bf492665f
SHA1: 6945abc3f4670ae001b22fd59670e3336ef77b62
SHA256: f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a
Tags: 119-45-147-28exe
Infos:

Detection

CobaltStrike, Metasploit
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}
Multi AV Scanner detection for submitted file
Source: uA71eQl1nA.exe ReversingLabs: Detection: 31%
Source: uA71eQl1nA.exe Virustotal: Detection: 22% Perma Link
Source: C:\Users\user\Desktop\uA71eQl1nA.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll Jump to behavior
Source: uA71eQl1nA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js
Source: Malware configuration extractor URLs: http://119.45.147.28/jquery-3.3.2.slim.min.js
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49711 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49719 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49723 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49726 -> 119.45.147.28:443
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: uA71eQl1nA.exe, 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/8
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js#
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js3fovzTE
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsYvdTA
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jss
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_0275010C 0_2_0275010C
Yara signature match
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: classification engine Classification label: mal84.troj.winEXE@1/0@0/1
Source: uA71eQl1nA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: uA71eQl1nA.exe ReversingLabs: Detection: 31%
Source: uA71eQl1nA.exe Virustotal: Detection: 22%
Source: C:\Users\user\Desktop\uA71eQl1nA.exe File read: C:\Users\user\Desktop\uA71eQl1nA.exe Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: uA71eQl1nA.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\Desktop\uA71eQl1nA.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll Jump to behavior
Source: uA71eQl1nA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_0275010C push eax; ret 0_2_02750387
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_0275012B push eax; ret 0_2_02750387
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00007FF6259612F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_00007FF625961820 SetUnhandledExceptionFilter, 0_2_00007FF625961820
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00007FF6259612F0
Source: C:\Users\user\Desktop\uA71eQl1nA.exe Code function: 0_2_00007FF625961A64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00007FF625961A64

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502169 Sample: uA71eQl1nA.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 84 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 3 other signatures 2->16 5 uA71eQl1nA.exe 6 2->5         started        process3 dnsIp4 8 119.45.147.28, 443, 49711, 49719 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
119.45.147.28
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://119.45.147.28/jquery-3.3.2.slim.min.js true
  • Avira URL Cloud: safe
 unknown
http://119.45.147.28:443/jquery-3.3.2.slim.min.js true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown