File name:	1c51620beb680f07ec05d44399817f9b16a8f855560fa5a2fefdf632ec5ebafe
Full analysis:	https://app.any.run/tasks/0e6cb925-f435-4b6a-b041-2d5de8e14b99
Verdict:	Malicious activity
Threats:	Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 19:13:40
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer cobaltstrike
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	3FEB212900A0F894836CAFA28C047C51
SHA1:	6EDEC384E1992E3A0A00F939D98995EB7BF007D5
SHA256:	1C51620BEB680F07EC05D44399817F9B16A8F855560FA5A2FEFDF632EC5EBAFE
SSDEEP:	49152:nrUwk5CnKofJ3AK7gd2xf0a9BJL/0SEKoKRuvsuP8F1zyUcWScHE:nrUwkIJpBs2xsa9BJLKzv

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

CompanyName:	Krzysztof Kowalczyk
ProductVersion:	3.6
ProductName:	SumatraPDF
LegalCopyright:	Copyright 2006-2024 all authors (GPLv3)
FileVersion:	3.6
FileDescription:	SumatraPDF
CharacterSet:	Windows, Latin1
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	3.6.0.0
FileVersionNumber:	3.6.0.0
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0xf4494
UninitializedDataSize:	-
InitializedDataSize:	1030144
CodeSize:	1225728
LinkerVersion:	14.4
PEType:	PE32+
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2024:09:19 09:14:02+00:00
MachineType:	AMD AMD64

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5892	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5892	svchost.exe	GET	200	23.48.23.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	139.180.156.199:443	https://139.180.156.199/jquery-3.3.2.slim.min.js	unknown	binary	264 Kb	—
—	—	GET	200	139.180.156.199:443	https://139.180.156.199/jquery-3.3.1.min.js	unknown	binary	5.48 Kb	—
—	—	GET	200	139.180.156.199:443	https://139.180.156.199/jquery-3.3.1.min.js	unknown	binary	5.58 Kb	—
—	—	GET	200	139.180.156.199:443	https://139.180.156.199/jquery-3.3.1.min.js	unknown	binary	5.52 Kb	—
—	—	GET	200	139.180.156.199:443	https://139.180.156.199/jquery-3.3.1.min.js	unknown	binary	5.56 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
5892	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
5892	svchost.exe	23.48.23.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5892	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5728	1c51620beb680f07ec05d44399817f9b16a8f855560fa5a2fefdf632ec5ebafe.exe	139.180.156.199:443	—	AS-CHOOPA	SG	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.48.23.176 23.48.23.150 23.48.23.167 23.48.23.159 23.48.23.156 23.48.23.193 23.48.23.158 23.48.23.183 23.48.23.164	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	20.42.65.88	whitelisted

General Info

1c51620beb680f07ec05d44399817f9b16a8f855560fa5a2fefdf632ec5ebafe

3FEB212900A0F894836CAFA28C047C51

6EDEC384E1992E3A0A00F939D98995EB7BF007D5

1C51620BEB680F07EC05D44399817F9B16A8F855560FA5A2FEFDF632EC5EBAFE

49152:nrUwk5CnKofJ3AK7gd2xf0a9BJL/0SEKoKRuvsuP8F1zyUcWScHE:nrUwkIJpBs2xsa9BJLKzv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Actions looks like stealing of personal data

COBALTSTRIKE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Checks Windows Trust Settings

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads CPU info

The sample compiled with english language support

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

CobalStrike

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

CobalStrike

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings