Trojan.CobaltStrike.TQ
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.CobaltStrike.TQ |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
4468a55bb1454a866f6cd4d6f996fa4e
SHA1:
ae07be5dd06e7961bc3b1dd5d39a53795ef4e327
File Size:
7.08 MB, 7084544 bytes
|
|
MD5:
63e838409311c53c611cfec6b3119219
SHA1:
aacf54f8e366d7110893f42e05dbc0cb01937abb
File Size:
3.00 MB, 2996224 bytes
|
|
MD5:
7042d0edc72ccc2a443676771871d94c
SHA1:
c634943a521dd962a978b93362e74318dbf3f0c4
File Size:
2.88 MB, 2876416 bytes
|
|
MD5:
a21170b8291b24cd0ad89697021681ea
SHA1:
77867b0883d4293a1e1f6b730ab5cf120e48b373
File Size:
2.85 MB, 2854912 bytes
|
|
MD5:
25d773aa1bfe0456e3f0d18c567f4f3b
SHA1:
f7e49317dfc10f9839e3cec4d4349ae2a0c26a4b
File Size:
4.94 MB, 4942848 bytes
|
Show More
|
MD5:
f7dffa236965af6e98fc61a19133c322
SHA1:
ebe43494e6a68b6cc5c176a2c16473d1e059eaff
File Size:
2.69 MB, 2688152 bytes
|
|
MD5:
64c41a8eb17a518c09fc21dd02647cca
SHA1:
a5798a5440d0322c59cfc07bffc98d9dd9c82816
File Size:
2.65 MB, 2649600 bytes
|
|
MD5:
161b7618d6a5b60179ce4c384cd85ccb
SHA1:
254624c288859f4a44c8a4e8ce14c7a80e3dfc54
File Size:
2.62 MB, 2622976 bytes
|
|
MD5:
5bc9a6d5dbeac60968e907b0fb857ed0
SHA1:
7cb1e91052caa8072af4d68e445eee6f3fedc052
SHA256:
E63AA47BD440281C5B19158D57B1C5E09F363347F5A0882F1024459FFF0D32F1
File Size:
2.90 MB, 2898720 bytes
|
|
MD5:
8a80636bb88f1155ffc1698379021c6e
SHA1:
40f4848f4a9f723dce7225c007594a5442706a2a
SHA256:
F808BF0D12CDEB3468FD2C98F86DCB302C885164B0AADE55891480B73FF687A4
File Size:
3.20 MB, 3198976 bytes
|
|
MD5:
06875dc588f80b5e40404420af396e3a
SHA1:
9fbc0b0596822d23cdba95507b36014fedebea78
SHA256:
BA88C267C441CC5A621AD21BFFCAD1B0344F59A5C6C22D7A2A303EFD96414CC2
File Size:
5.45 MB, 5453312 bytes
|
|
MD5:
9950aacabfb82d4db7dfb1628f393278
SHA1:
8eb4ad1cacb60db9e781c356978289f6a94eae70
SHA256:
40677BA8BA673F38A7884941280D8EDA4D1D2E7F1CD34659C45C596C3DFD1F46
File Size:
5.51 MB, 5510712 bytes
|
|
MD5:
abc0954f256aa156123cc2fcc90fd2b9
SHA1:
bb0ae1054f7c82abc26897351cc1bd7e916772db
SHA256:
14FF3C52589051778F0C033A3156FF081056E8794E65E2145C641ADB5CA5405D
File Size:
5.26 MB, 5257216 bytes
|
|
MD5:
732a1f66025c713163f523205329f7da
SHA1:
78e2b3e46b9d744cae40b75f444bc9095d94f607
SHA256:
D5DAD36A1C13C530646E574E3EB5D663BEF8FB12E9461B61977818A3E4C6440A
File Size:
2.70 MB, 2695168 bytes
|
|
MD5:
742ed6bc9f66915f72fb6f8f263dca86
SHA1:
94642bf31f21e9dc9d13d1f825446e173e608436
SHA256:
4E60EDCFB112BD78A2310B466EEB5A1209B9EA71BD6830FCB11BD583E879AA1C
File Size:
2.89 MB, 2888472 bytes
|
|
MD5:
083d5895283755a910b5c59d60a5348b
SHA1:
0d94bf4d0418061907ff7977e3f25a463cb25188
SHA256:
9639F7EBC6A6D69D7BF5B8BC869E7783A1406088F192868624AD8919E9BFD1D4
File Size:
7.08 MB, 7084544 bytes
|
|
MD5:
ab4dbef057c15c3b43b2588fb1c79e25
SHA1:
26f01fbee5e2fdae370f13f14d72c6d0552be509
SHA256:
4A23A750F95ED0EF608EBFD17BE264897FF8CE9F0FC3732B6ABC7D4CE32AE0B3
File Size:
5.27 MB, 5269600 bytes
|
|
MD5:
dbae0bcceaa0d2e16b116a64604805d5
SHA1:
9b473ce3d3dea70efb3c6f6af8fe98d7512265be
SHA256:
C96BCA0814FC8F5BEAD87D00ECE9703EDFA7AB4149FC7B35A38F7C85FE32DE6D
File Size:
2.85 MB, 2854912 bytes
|
|
MD5:
abc4ed16927b9f12b335540825569100
SHA1:
72c3900a97c44d096c2baccf8af3abad6c6190f5
SHA256:
C91716FF9F459576B49FFEF4A4893EBF5CB5D0F3AEDA591F2981482DE34DF605
File Size:
5.47 MB, 5469184 bytes
|
|
MD5:
7180db2500753bacfd55269cf0e89d92
SHA1:
124b58cbdef1532231de893edc09772911a5f315
SHA256:
13FD2C1B321530A0B0BFC9206AF7F864051064ABA8553C5E6DE7AB511DDCA661
File Size:
2.93 MB, 2933360 bytes
|
|
MD5:
7adf52ccbb6a473e347a67fb186db0e3
SHA1:
9ddbff6ff044ec3e733e6796b3304fb36db8371b
SHA256:
41C0FFD6D43ADD46BB5108D283A6E6549271927C6ED31818CEC129B278583D80
File Size:
2.67 MB, 2673104 bytes
|
|
MD5:
edc29fa9ba4563c2106d2557ddafa3b4
SHA1:
35d056c7d231cc7cc8bd1437a54e4cdd5b12f041
SHA256:
CA7809B7E1513457A82EF2FE3F10D407C1622764A4C8F88808C672E6A04AD946
File Size:
2.67 MB, 2669056 bytes
|
|
MD5:
70ca5601f02b1ebc251a683c2dba1802
SHA1:
5b9742c0a0f990c8075ba5474f72fc5a2cc6b397
SHA256:
D711A8D8A245E3D6B787FB2B89070D96238758084951274AFF88C0DE56FE321F
File Size:
3.02 MB, 3019776 bytes
|
|
MD5:
ee49871e53bb83a59c992e6bc1fcdac6
SHA1:
c135e092191f5ba02da14b5ae517b4f6aace60d7
SHA256:
1214268764F9252CA840F1CC7E9B3698ED55F059802FA7AB7442F61144D898D0
File Size:
4.94 MB, 4942848 bytes
|
|
MD5:
6b98fa898ad999020d2649a3be099631
SHA1:
f3ee6835ff564db0466848faaa1c04aba36cec2f
SHA256:
E6B958BABAFCF3B19CBF1D77EAE45098E5DA35E54AA0376BEDE22745076252F9
File Size:
5.40 MB, 5396992 bytes
|
|
MD5:
8ff39ca19fe8aae8f213390b33940efb
SHA1:
db6bfa39b7b3e0d95d04c554129bc2181629354a
SHA256:
BA4D7C169FA59B48DAF94E20353F435530F789F1F2E6CDED45A59038ECFBA5A2
File Size:
5.17 MB, 5166080 bytes
|
|
MD5:
ba54528e82784aebe4171da42ceaeda5
SHA1:
a043a0abd67b73e6d50669bb775ec431f9000581
SHA256:
56E136E61A2D40BD4EF464EBDE593A604F88405381680A94F0ACDBF11BDCBC1F
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
9344df74be960efa0c9c0308911273ff
SHA1:
ffb2e44a4d715bafcbb5e0fbd409003b69f2d7c5
SHA256:
36EB22E8BAD9916475CC6271AEF80FD590807848966D7FA8F6FA9D9E8FED50A7
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
a9284cb4ca3d616d38ce627c9e223eb7
SHA1:
c0595864bca4b93f473bbfd6567b99737816dd07
SHA256:
BDDFA53C6D83054856000E82FA3BDF3347D5318524D2B1EC3089CA49C0C568AC
File Size:
5.26 MB, 5255680 bytes
|
|
MD5:
585b2c10d666a3ab2cb317364d05e1b2
SHA1:
cf6599fa9777a3d3c61219dfe1116e6d1045637d
SHA256:
69D97FE7B6B1C42EF94182CE7404DC43624E039505850723DC1E48E95DE3D50E
File Size:
2.57 MB, 2573824 bytes
|
|
MD5:
f6497a1e5ac289bc653bfe6a8821f6a4
SHA1:
7f05fa8d96c194839bf6e05940d21d3b8febd653
SHA256:
B1F2F53C07802229E0712A749B44EA7B19056EB36740EEA0A2D64FCE239E7D54
File Size:
5.26 MB, 5257216 bytes
|
|
MD5:
f61c676a10b85fe47c8aeb8c5d4ca451
SHA1:
7a38e3e262dea7a9ba75d3be94b4d2b57734747e
SHA256:
A33CD7960F321B22B04A8290E320DA5DD9B53EC1D9F93A508CB1336681718DA2
File Size:
5.82 MB, 5815752 bytes
|
|
MD5:
62c6fc7495ac846ffb38c7c4eb87b0fc
SHA1:
eff9674484630aadacf280e21eb52db9715627f9
SHA256:
FCBF1E7FB170752101D3ED7A706FC65CF25846F5F8DD78190298C669AA727E6B
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
c5f66e3925125c6a0ced8b6ac53dfded
SHA1:
efb503da5aa5c3afbec5893adabd4b9c00e839e5
SHA256:
C7F88B23AFCAB5D920D0CCD00F4353AAADEE91FCD51CD9B2986EC57DC92D9CAE
File Size:
3.20 MB, 3199488 bytes
|
|
MD5:
f8678fc5127ebd68b0f04bc271342a7c
SHA1:
7795e600832f7d3b7e8b3a5af42740289ace5805
SHA256:
0E79984F4CA4CE625E65B4B2BDF692F8302FF1460E9808B108A8C80C104DA7B6
File Size:
5.82 MB, 5824648 bytes
|
|
MD5:
36cf877953e8661b9d0f873d7a874014
SHA1:
b6337861113910e3d1f93b885e376906d6a2fafb
SHA256:
9EF1E6722EC8740F11EBA76FE499D5A35ED88A4437C919A5344CD903741C2A33
File Size:
2.67 MB, 2673880 bytes
|
|
MD5:
6fdd27e538129d6f02786ecaebbd06c8
SHA1:
3cced5b288874ca53f836e706fe6a49ff613c19e
SHA256:
AA6A2ED6DC3EAC76AB5627AEC82CC2E2EAC077A9F314C82811076B542CF7577D
File Size:
2.67 MB, 2673880 bytes
|
|
MD5:
a86d40f2098b5da7172016d897d07aa9
SHA1:
adf99e1620d4c092db281050971f361b145e61d5
SHA256:
F9449C0786E377BDCADDA695F34452CB76CE8914BA60653AD47827436CAA69A8
File Size:
5.73 MB, 5726208 bytes
|
|
MD5:
c16329e908a1788cbdab0d30a4bdd71d
SHA1:
21b430e4934706ba310ad67a4a52e7bb954aad67
SHA256:
557F671DC6AEAAE230F305D28056C4F433A355711D245C3CB6B7A6308E884CB4
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
618d91b8a47b9d45b52524600fe82584
SHA1:
7c303c8127512a587fad79889fc194b832e6dda8
SHA256:
189BBA0D01EDF0C85AF23C949191D14AC7E10EA33825167C8EF9DEE77FC259D6
File Size:
2.67 MB, 2673880 bytes
|
|
MD5:
e8a707b3eb42dddbb441a91146fc15ad
SHA1:
0797b9dc5907f25e81bcec30424e91cc08164b21
SHA256:
46079EC675911E86612A96F6E0782D6B38B6E4C512CE7BDDAB4194A0A4C0AD90
File Size:
2.67 MB, 2673232 bytes
|
|
MD5:
7a448326235d378b76290f62995eb9db
SHA1:
b36bcf8713998f38c7f61959e4be21f7880b9082
SHA256:
A987DACA022E6B878D4EAA17CDB3404CD127D1B8EE19A9D211AE03F56243A6C0
File Size:
2.68 MB, 2679656 bytes
|
|
MD5:
4555e2c992b0320df42ba6faf2626bbd
SHA1:
ff96418060e3f949b11820612645afff80e525bf
SHA256:
C0C1399C26B9E8E34F2891EB36F27CD73EA799072E4A0900D32ECF12A72569DD
File Size:
2.97 MB, 2971136 bytes
|
|
MD5:
ec63f120c8ec0ff355704b965057253d
SHA1:
0af14e03d41d89eaa8abfb4790f580e63354b8b3
SHA256:
B576B2E8127BCF061FE6365BD69D3A98304E1216B641FAD4B43F60944D1B3BF4
File Size:
2.68 MB, 2679376 bytes
|
|
MD5:
9a83e6c71c0352a999ca54e184061f06
SHA1:
8867b0890e815a77241e9323326d96e1fcf74c2f
SHA256:
C449F32DE047E5220015633247CD3D1E7F01CB0249BA23570DB8D602D5F58ADF
File Size:
2.69 MB, 2692608 bytes
|
|
MD5:
5071e2de3a427cd3387c9ec19cfdab3d
SHA1:
906ff5a4c836cf9defec850404fe2d963810c78f
SHA256:
4BDDDBAD5E14C3EE84EB1D0625EAE325F2E722702D5FD6223AC33F987B5D5347
File Size:
2.67 MB, 2673880 bytes
|
|
MD5:
36822712c0923ee90f04882136c850b8
SHA1:
f1da6ffbea729b520cb7446c6666fed050995216
SHA256:
7D2D5F0C1CF5EFACDDBA08F0410CD979D227B27DAD78BEAFCF6967914D295C06
File Size:
2.67 MB, 2672720 bytes
|
|
MD5:
af1d68dbc2ed8e32a4facc8894629921
SHA1:
573d2a73ded3a0ab6822aadef74489a6aff30b0b
SHA256:
5EFB15544A0C7B02A3567424DD732C612AE5F0BB93F986555CE933B10D450E44
File Size:
954.88 KB, 954880 bytes
|
|
MD5:
cb2ead77989133028edfebed1e9ac18c
SHA1:
b5ed90be5aa76e25578be78926828155b3e234e8
SHA256:
7AA61E3FA16483FEDAE0ACC95606134C712774D3A4CD4AAEBDAB6A40EE6FD352
File Size:
2.70 MB, 2697216 bytes
|
|
MD5:
9a40b4040dd3df9c988b988435eb3b2c
SHA1:
8e48e7cffc388dae8604fd8eb42b7fb0a9686f3b
SHA256:
5E764C3155123956E3923B85A303BA36D07154ACAE096F039864A3DA108DA967
File Size:
3.02 MB, 3019776 bytes
|
|
MD5:
20fdcbf9998b87f351e53a9f07254035
SHA1:
18fc602401e4acfebcf9d09ed3293e52cc06744d
SHA256:
240EFF5EABD176831E6FBAA6307EBB6A609FF424AC7A59F96273085C067EB716
File Size:
2.87 MB, 2874880 bytes
|
|
MD5:
8dba1c7629f5fbac855563d4dbc93eec
SHA1:
59b77da4b75aae9ef7b7256a491f90138e9f9256
SHA256:
67FB88A10192C7C29318E1655E6BFB17F44C8CC8EC2D55C1A3C737C599B1217E
File Size:
2.68 MB, 2681440 bytes
|
|
MD5:
9f4f0dd9409d7918a8226f61bf1a536d
SHA1:
2a50e15a61429408cdf49ea1dbbf2e048feac1e4
SHA256:
8EF4DF56BFD54B314BBF1942662AA9D50F67AC9FB7970AAC9B9E63F86E944B86
File Size:
2.68 MB, 2679888 bytes
|
|
MD5:
dfe1625e175e1987ebdc1cf1c63ce5d8
SHA1:
6dc549230349d2da794a3f09814a35a0254a80ad
SHA256:
FCA57F29BEA5CAA41625236D9DE58B2A7608DC1583D38A28EF3B22602D961903
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
ce64748d86f6bd633f122ea3fa5a914f
SHA1:
144e9ae38ffd8beaa4de2693715676049d1914ab
SHA256:
411CFB7AE4EB3BDA4FE21E85ED14323F133D4C55707F5B513227DF6F1D62E6FD
File Size:
2.68 MB, 2679888 bytes
|
|
MD5:
7767602c1a97895388c25ded055b0b77
SHA1:
b1e21d7103e4f837d8c8c23f5f1b751100d7820b
SHA256:
2FF01871531EDA8A09CF66C7225DAC3311FCCD4F67C0EEBEDBEDA1391A01B897
File Size:
5.26 MB, 5257216 bytes
|
|
MD5:
91cb0c73400d9561e12191f8f355ca53
SHA1:
8cac62a6d0b5ac20e96db7ba303a9959c39a47f9
SHA256:
A76F625BE3AC8BB5FB4088E9859F7B2AD01DA0B1F9C4751CC58B53BFCD27FE7C
File Size:
2.85 MB, 2853376 bytes
|
|
MD5:
c2b50acce869d4c19b9f83f7da0b1e78
SHA1:
1b3c99f33731ba15163ae150c7fbb8dee2ae2623
SHA256:
FA52CD0646D0B0AB67E9B102C6087EEF3AE18C0A629E9CF58DDC19678A3220E3
File Size:
2.63 MB, 2628096 bytes
|
|
MD5:
7cd3625c0a5e64913dd543cd7e119cc9
SHA1:
fba3f1b2f9458fdfe9906875457875d9916a0118
SHA256:
8BCD4EC860A0034AEDBEECA5688C682B8EE9BC5BFC7D8FFBE4C8E161EE99AD7D
File Size:
3.05 MB, 3052968 bytes
|
|
MD5:
36d263245dc257aa4e076ffc116c4c47
SHA1:
f751f2722685dd791b5379716c1699c0dc83ea0a
SHA256:
3ECE84F4428E6B524029EC9563851EA6B1FA3B741F06C90FF800010E2E0B328C
File Size:
2.85 MB, 2853376 bytes
|
|
MD5:
c92052cb476eed4c310f1d84020f1883
SHA1:
49d20147914a66d433b7a2f708e0fd88c96a4ddc
SHA256:
88AEB309DB1976E24E0B8444C34AC2F2481C41139643A858EB4C98226D1F1647
File Size:
2.87 MB, 2868736 bytes
|
|
MD5:
ab943920f96a90e50a368e128a8717ce
SHA1:
858d8b4a31fa746a85c9c8336d59bd5a550a8086
SHA256:
1EBCFDDAD6CA2B49EDFEACDFB3E9F074333729B965D637AA44ECB8DF3626EFE9
File Size:
3.44 MB, 3436344 bytes
|
|
MD5:
e5ee03a2ba9cc4bfd61ad896f9994308
SHA1:
dc09c8f8cde4ee53853cc928a04c0dc71db89e82
SHA256:
9E59D8D038A52E73E13CE957BC22A6CAD5BFB69E68E42A73D5946861D56843AF
File Size:
3.20 MB, 3198976 bytes
|
|
MD5:
c0134d03b97a685d576f46ac4342b71e
SHA1:
fa0e126b57c7b974cf771c735474d8ac8196dcbe
SHA256:
E9AB8239F37A3D97A10844B6E939DDAF73FD5F6BF60F9302862E69BECFBF088A
File Size:
2.70 MB, 2701256 bytes
|
|
MD5:
ff5dad9d8be4f6675cd1db1515ec44c8
SHA1:
5b01caa9db951efb82e499bcd6a2d6829763b4fe
SHA256:
85C70AEA89686C30D64BDBC3EA5FAC9BF2A5E6729D6203C6DC116F0748E1E95A
File Size:
3.20 MB, 3199488 bytes
|
|
MD5:
5a8bf2df30bb7708557377d7b1400bd8
SHA1:
d714c5969c3554b98134ff0c603fec2bf697915e
SHA256:
FC21A103ECC58048BB6D431CBD4BA89F2C69F97F45BA2C1B0810D657F50C29B8
File Size:
2.73 MB, 2733848 bytes
|
|
MD5:
079ca0c65e4e071b9c9ecace5172dcb3
SHA1:
3f20d280832754949b0622efa8efa5351bfde8cf
SHA256:
7700695419658ABA6960EB81699A02C5FC88F313D0422F05C24038DB489B569A
File Size:
2.91 MB, 2908968 bytes
|
|
MD5:
dd6e341731eea49d591069f699c6a255
SHA1:
d2dd86f3c03dcf57aa93d7e19dfcbab4a9a23282
SHA256:
FD60AA4FC4D759D5F77F71FFC7D5E9ED89DCBC0B044BE99EBF37A53764F40E76
File Size:
2.85 MB, 2854912 bytes
|
|
MD5:
b85ae60618070578aedf0f09cefd85fa
SHA1:
a26f8ce13ce55d5e392b7facb6dea6263f1aa33c
SHA256:
6D4F315E1DF9F072352BD13E3CF0027AB9C5EA77243A9FAEE0A1CEF3B28A9700
File Size:
2.87 MB, 2874368 bytes
|
|
MD5:
8c3c29cb36b47392edcd52c5aa540a62
SHA1:
5e2f0d877737becef9e710281fca4bf2f855c979
SHA256:
803B90BE4767757819D2BE13B6D6A36D1AF1383495A31A5932CFD50BACB4C717
File Size:
4.94 MB, 4942848 bytes
|
|
MD5:
4398e82c743b45e5f573edf6d1628b6f
SHA1:
61733088084ecd573486ccaf7036c8b6cc3ed007
SHA256:
25F6157AA6832EE09D9CDE8564EF5DE130B6890725714FD80EF958EC2A7FE116
File Size:
5.26 MB, 5257216 bytes
|
|
MD5:
27387c50485820f74f90412d830692ca
SHA1:
acf852da391157455929dab9f5c28cf307258494
SHA256:
2391CCEED13ECCFD5EB3F50BE5AE36592D37DD2A52A1A3C24B1C78C02383B90E
File Size:
2.66 MB, 2656256 bytes
|
|
MD5:
2f6cd493b67b8d27be1a82c75b9316d0
SHA1:
71230c582987e0e23bb20812d293bb1ce1bcdb0a
SHA256:
61AA1BDC63314CA6241028652C78498AACCC3CBEF5E2017710DBF73F8316EF3C
File Size:
5.27 MB, 5267968 bytes
|
|
MD5:
d968f759a38e1b9d75e976f7b1511e6e
SHA1:
e2959170e7470cd8fea89d51f87078d9f20c7ac4
SHA256:
E97D2EB5875BE4A0348EA56E67290B0D6351C094BF55ED96045B796AB4A310DD
File Size:
2.85 MB, 2854912 bytes
|
|
MD5:
8a9c8b90fdfa1d069226fc229737a4fa
SHA1:
1f34e73f624f9f6039f7b7fc7916649c877d97b8
SHA256:
6B65BEB56E781A8F975A20B54DEAB33C8DC787BEB6C7A3F86CBB2A837DE13B26
File Size:
3.02 MB, 3019264 bytes
|
|
MD5:
e87b831ff0884de042e9bf771e8d5820
SHA1:
f59d3a60a45a094b6b36452a6d4ad8d55606976c
SHA256:
5E48F9505D0C815F8F84398F420B9C4833DDD5F6E8B8A7745636B829241C624F
File Size:
2.85 MB, 2852352 bytes
|
|
MD5:
96d991db43c979d5926b5323f36c6fc0
SHA1:
9f45c716b9b45978bac68b031a3412fe18c7640c
SHA256:
EBE48F8D02E48988857E7372B3BFCD68A6FA1E0C9478D75C5CF910A808418526
File Size:
5.39 MB, 5394944 bytes
|
|
MD5:
613cd9eafc7e97fc2272c224aa7e9401
SHA1:
869bc800782e7163de9fbacb52ebafc1351b25de
SHA256:
19112759369AC81DDC8691AF180F564E76B167E00C5E24799D98982DB16579FC
File Size:
2.96 MB, 2957824 bytes
|
|
MD5:
4f73edab074e21c855f91ba44795870f
SHA1:
f24e65313f385c0dadb4082e078d8e393c4f8059
SHA256:
75B40B626F2689FD5ABDE4EE162EC0B992CF7E290ADF1D2A861A1A22B0FFB899
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
8948feb9d615e9bf1c98bf10319eaa45
SHA1:
8a2747eb24c023a76c414cbe32f504daf9409646
SHA256:
49AA33C1ECABE455CE15218A632BA740B968D144AF85E02E42E9706368918D6D
File Size:
2.85 MB, 2853376 bytes
|
|
MD5:
24f0663c152a9d4a521eba959350cca4
SHA1:
80204abde0a2a7d0441a15fb95da724a0cddc1d1
SHA256:
E979BE78BAF6710603A361CDFBE11F4D7A6B376FB40D3A5D3B8B874A2C6132C4
File Size:
5.26 MB, 5257216 bytes
|
|
MD5:
e288bd0b9bc28b0d5dfdffd4960c09dd
SHA1:
4c523b7026a766aa7820920a2beb43a1c112e58d
SHA256:
73003CC700CE67E0DD7E8DE7C43ED649430CC8A49F1DA1EAB41AB42AC3A2D742
File Size:
2.85 MB, 2854912 bytes
|
|
MD5:
3cb91b50f86d6deb902ff070b465c9c9
SHA1:
120ce25789d051203f0d55ae62050fefd7131819
SHA256:
F0AF5BFAD86C35A9468F365A187874FEA7A4316D4A5C5DFF3823539290E6F46C
File Size:
5.26 MB, 5260288 bytes
|
|
MD5:
72c0daf77a048fa0723cfd7049a46775
SHA1:
201a7136d6a6d4e17a49e948ad3059c0c9a4ac21
SHA256:
A2F298C08C14FCE8F8CB6B5CCA1501BB8A0CA422EB6D69DC19900B74619BA557
File Size:
2.72 MB, 2722304 bytes
|
|
MD5:
3abbd0a27947ffd9918fcd28cfe14934
SHA1:
45e745495fcf4b9573b01fd4d2ca04cb0e2dd7f5
SHA256:
C33B42873FB62B8C4416201C57B0219E8817A82B6C854A9EFF436EE1074CA47F
File Size:
3.20 MB, 3200512 bytes
|
|
MD5:
55a41e7f125e336c1980875cbcc6e51c
SHA1:
e7a49a3973d96144354d4a0cd085cd5e398143cd
SHA256:
21C53367BD7222C0A4D89DD0C42B3C22D6F0DAA37EB7BF196529ED814EC4A255
File Size:
2.90 MB, 2902888 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have resources
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
Show More
|
| File Description |
Show More
|
| File Title |
Show More
|
| File Version |
Show More
|
| Legal Copyright |
|
| Legal Trademark |
|
| Product Name |
Show More
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| ESL FACEIT Group Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Figma, Inc. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Google LLC | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Rockstar Games, Inc. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| COGNOSPHERE PTE. LTD. | DigiCert Trusted Root G4 | Hash Mismatch |
Show More
| Exodus Movement, Inc. | DigiCert Trusted Root G4 | Hash Mismatch |
| Google LLC | DigiCert Trusted Root G4 | Hash Mismatch |
| Telegram FZ-LLC | GlobalSign GCC R45 EV CodeSigning CA 2020 | Hash Mismatch |
| EasyAntiCheat Oy | GlobalSign Root CA | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2010 | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Windows | Microsoft Windows Production PCA 2011 | Hash Mismatch |
| Akeo Consulting | Sectigo Public Code Signing Root R46 | Hash Mismatch |
File Traits
- GetConsoleWindow
- HighEntropy
- Installer Version
- No Version Info
- ntdll
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 106 |
|---|---|
| Potentially Malicious Blocks: | 42 |
| Whitelisted Blocks: | 64 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
x
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
0
x
x
0
x
x
0
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.DEAA
- Agent.DEAB
- CobaltStrike.RG
- CobaltStrike.SR
- CobaltStrike.SU
Show More
- CobaltStrike.TQ
- Coinminer.LM
- Downloader.Agent.DTB
- Kryptik.UGB
- Kryptik.UGC
- Kryptik.UGD
- Reflo.B
- Spyloader.M
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\dav rpc service | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\pshost.133994748194543332.4660.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134128177768319458.7316.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134128177774390731.7984.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134137455048761998.6900.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\wkssvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c | Generic Write |
| c:\programdata | Generic Write |
| c:\programdata\microsoft | Generic Write |
| c:\programdata\microsoft\windows | Generic Write |
Show More
| c:\programdata\microsoft\windows\msautoconfig.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\programdata\windowsconfig | Generic Write |
| c:\programdata\windowsconfig\syswncfgd.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\programdata\winmgr | Generic Write |
| c:\programdata\winmgr\syswinprdrvc.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\public\libraries\svchost.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\public\libraries\svchost.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_0twrop2u.ptu.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_1sujorhh.pog.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ec4whpij.xm1.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_hxi054ww.k4k.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_l5wjqcpk.ybk.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_poful534.4on.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_xnbmjwyh.oih.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_y5payzvd.fmj.psm1 | Generic Write,Read Attributes |
| c:\windows\temp\2725890.ps1 | Generic Write,Read Attributes |
| c:\windows\temp\2731281.ps1 | Generic Write,Read Attributes |
| c:\windows\temp\debug_log.txt | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ȄܫǛ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 蠋ݣǛ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ްǛ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 폵Ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ᪙矩ஃǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 筩ೡ粊ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 攄ഌ粊ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 녭ഹ粊ǜ | RegNtPreCreateKey |
| HKCU\ms-settings\shell\open\command:: | "C:\Users\Public\Libraries\svchost.exe" | RegNtPreCreateKey |
| HKCU\ms-settings\shell\open\command::delegateexecute | RegNtPreCreateKey |
Show More
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix | Cookie: | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix | Visited: | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 蓝ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\control\ci\policy::vulnerabledriverblocklistenable | RegNtPreCreateKey | |
| HKLM\system\controlset001\control\ci\policy::driverblocklistenable | RegNtPreCreateKey | |
| HKLM\system\controlset001\control\ci\config::vulnerabledriverblocklistenable | RegNtPreCreateKey | |
| HKLM\system\controlset001\control\ci\config::driverblocklistenable | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 蘍蓝ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 䩕b赍ǜ | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
315 additional items are not displayed above. |
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
| Process Terminate |
|
| Encryption Used |
|
| Other Suspicious |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
WriteConsole: [SC] OpenService
|
WriteConsole: [SC] CreateServi
|
WriteConsole: [SC] ControlServ
|
WriteConsole: [SC] StartServic
|
(NULL) ComputerDefaults.exe
|
Show More
open ms-settings:defaultapps
|
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\2731281.ps1"
|
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\2725890.ps1"
|