File name:

947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626

Full analysis: https://app.any.run/tasks/0b6b23ac-1814-4231-b35c-d27761aefda8
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:14:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
backdoor
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 8 sections
MD5:

21AEE823633E17B7FBE3AF8C5B49F2A1

SHA1:

35D196273009AC0AAB174662BDE3AF12CBAF595C

SHA256:

947B389E989AD941EA4F45B29B29F5DF1B3EFF4D05CDCC970D8982669E627626

SSDEEP:

49152:Fg607bX62X+K+J0svLK8511VdtlsFGLjGtjFBWDpyOc:G7u56R85LZlsK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (SURICATA)

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • COBALTSTRIKE has been detected (YARA)

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • There is functionality for taking screenshot (YARA)

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • Connects to unusual port

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

  • INFO

    • Reads the computer name

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • Checks proxy server information

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • Checks supported languages

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • Application based on Golang

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)

    • Reads the machine GUID from the registry

      • 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 6.1
ImageVersion: 1
OSVersion: 6.1
EntryPoint: 0x6ee40
UninitializedDataSize: -
InitializedDataSize: 93696
CodeSize: 770048
LinkerVersion: 3
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 0000:00:00 00:00:00
MachineType: AMD AMD64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6456"C:\Users\admin\Desktop\947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe" C:\Users\admin\Desktop\947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
6464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
507
Read events
507
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
640
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
640
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
GET
200
206.206.76.193:10010
http://206.206.76.193:10010/uf8J
unknown
6456
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
GET
200
206.206.76.193:10010
http://206.206.76.193:10010/dot.gif
unknown
6456
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
GET
200
206.206.76.193:10010
http://206.206.76.193:10010/dot.gif
unknown
6456
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
GET
200
206.206.76.193:10010
http://206.206.76.193:10010/dot.gif
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
640
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted
6456
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626.exe
206.206.76.193:10010
ATT-INTERNET4
US
malicious
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
640
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.133
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.116.246.104
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
947b389e989ad941ea4f45b29b29f5df1b3eff4d05cdcc970d8982669e627626