File name:

3.ps1

Full analysis: https://app.any.run/tasks/9b1a3971-211b-4f79-b936-2ca211565ca5
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: November 25, 2024, 19:03:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
backdoor
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (12594), with CRLF line terminators
MD5:

69C80576E5413DC4D0D60DE98439F649

SHA1:

2FE44C3F073E661EB0CD6DD2C5890B067743EA5D

SHA256:

85856010D3E63101C30A3D061DD55C758350030DD9B14794044A479860ABB37F

SSDEEP:

6144:tgCjcsHxN7zWkV4mne5klEz1/rxiAsmwAJhcEstTHo84ZbxGdnuFmlgC5fe5QLPO:tgC4sRNvW5Oe+cVroAsEJCE38QKOq7bu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 716)

    • COBALTSTRIKE has been detected (YARA)

      • powershell.exe (PID: 716)

    • COBALTSTRIKE has been detected (SURICATA)

      • powershell.exe (PID: 716)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 716)

  • INFO

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 716)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 716)

    • Checks proxy server information

      • powershell.exe (PID: 716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(716) powershell.exe
C2 (1)3.78.244.11/dot.gif
BeaconTypeHTTP
Port8080
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLig9WKqpeoGrJDrvhlmhaTXEo jwyJBGjEy7F6tRQvS9dbuSIu05PXXZ6lUMKqeyowjaN3NRQls77bt+XIQlOWaKtR RDJ8V4JyqoDWboN8jpNlDxFOp0DvhqSUSVEk7z9PKQyAYDwWAEoxgsG9zrnmRZZt iPeesUAd14coCHIY9QIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
716"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\3.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(716) powershell.exe
C2 (1)3.78.244.11/dot.gif
BeaconTypeHTTP
Port8080
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLig9WKqpeoGrJDrvhlmhaTXEo jwyJBGjEy7F6tRQvS9dbuSIu05PXXZ6lUMKqeyowjaN3NRQls77bt+XIQlOWaKtR RDJ8V4JyqoDWboN8jpNlDxFOp0DvhqSUSVEk7z9PKQyAYDwWAEoxgsG9zrnmRZZt iPeesUAd14coCHIY9QIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodVirtualAllocEx
Total events
4 835
Read events
4 835
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135fa7.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O9GPE0CQ375QLMGU1JG7.tempbinary
MD5:F3F257BF7AAD078872FC5387639CA3C1
SHA256:4E5DEC734E69B96591F958879641E0406A11E62582BF698912797B1220584343
716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:F3F257BF7AAD078872FC5387639CA3C1
SHA256:4E5DEC734E69B96591F958879641E0406A11E62582BF698912797B1220584343
716powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cyb2vdzi.4gq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
716powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p4jfg5xb.fr1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
372
svchost.exe
GET
200
2.19.198.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.198.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
716
powershell.exe
GET
3.78.244.11:8080
http://3.78.244.11:8080/dot.gif
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.205.93.127:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
372
svchost.exe
GET
200
23.205.93.127:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
372
svchost.exe
2.19.198.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.198.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
716
powershell.exe
3.78.244.11:8080
AMAZON-02
DE
malicious
372
svchost.exe
23.205.93.127:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.152
  • 104.126.37.170
  • 104.126.37.185
  • 104.126.37.162
  • 104.126.37.179
  • 104.126.37.153
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.19.198.194
  • 23.32.238.34
whitelisted
www.microsoft.com
  • 23.205.93.127
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
716
powershell.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
716
powershell.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
No debug info