cobaltstrike | 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2

General

Target

268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
Size

5.2MB
MD5

66f4be2e4d29f54298d092332194a472
SHA1

0c7b1e834d5032bbdd8dda4bea5b40740c9d3c13
SHA256

268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2
SHA512

d5faaa165eb178d1e4ba54908fe55329a3c447afc3fdedc9c3e63c73a5b98725c2bb3ce4210c7c47af61d611dae618fb5e649a078ec18799d1cd92e628dafbcb

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 3 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\yrwnBOm.exe	cobalt_reflective_dll
C:\Windows\system\yrwnBOm.exe	cobalt_reflective_dll
\Windows\system\XNBEoQj.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

yrwnBOm.exe

pid process

2040 yrwnBOm.exe

pid	process
2040	yrwnBOm.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\yrwnBOm.exe	upx
C:\Windows\system\yrwnBOm.exe	upx
\Windows\system\XNBEoQj.exe	upx

Loads dropped DLL 2 IoCs

Processes:

268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe

pid	process
1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
\Windows\system\yrwnBOm.exe	js
C:\Windows\system\yrwnBOm.exe	js
\Windows\system\XNBEoQj.exe	js

Drops file in Windows directory 2 IoCs

Processes:

268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe

description	ioc	process
File created	C:\Windows\System\yrwnBOm.exe	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
File created	C:\Windows\System\XNBEoQj.exe	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe

description	pid	process	target process
PID 1304 wrote to memory of 2040	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	yrwnBOm.exe
PID 1304 wrote to memory of 2040	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	yrwnBOm.exe
PID 1304 wrote to memory of 2040	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	yrwnBOm.exe
PID 1304 wrote to memory of 1944	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	XNBEoQj.exe
PID 1304 wrote to memory of 1944	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	XNBEoQj.exe
PID 1304 wrote to memory of 1944	1304	268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe	XNBEoQj.exe

C:\Users\Admin\AppData\Local\Temp\268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
"C:\Users\Admin\AppData\Local\Temp\268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System\yrwnBOm.exe
C:\Windows\System\yrwnBOm.exe
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\System\XNBEoQj.exe
C:\Windows\System\XNBEoQj.exe
2⤵
PID:1944

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\yrwnBOm.exe
MD5
bc0bd8486c4db1242ade6b59fd1a4a56

SHA1
4091105a6fa0f5eb8e15ce7997a7c1ec514fd8f9

SHA256
85846a4d5992af9b6eba1eee90b134db213c396aca6f6202e2bf61cdfe0fc1a2

SHA512
7be41ec3fa388eecb8f2e5e9fcfbb510f6fcf6f1dc22f47071fa4e30cae4527be0ea7223c9224d0b6ccbe0354658b3326abba2e5af6e24e1602a442c5c28f5ff

Download Submit
\Windows\system\XNBEoQj.exe
MD5
696003700b2de8dd07791b6be667db64

SHA1
65bcf5727b4d9903ca6fc2c8299037219a52d80b

SHA256
a17e49a2c742c678e55b2f76eb18c11f1fec4852ac99a56c947a2c73a3398741

SHA512
a69f3cbcdc749b390ed497b2172df93df27c49a04e23cdd9e196e9ffa06ac903bfed6331801df33dcc00c93acc77f9423d42e7da8508c2e3a0ec878858752078

Download Submit
\Windows\system\yrwnBOm.exe
MD5
bc0bd8486c4db1242ade6b59fd1a4a56

SHA1
4091105a6fa0f5eb8e15ce7997a7c1ec514fd8f9

SHA256
85846a4d5992af9b6eba1eee90b134db213c396aca6f6202e2bf61cdfe0fc1a2

SHA512
7be41ec3fa388eecb8f2e5e9fcfbb510f6fcf6f1dc22f47071fa4e30cae4527be0ea7223c9224d0b6ccbe0354658b3326abba2e5af6e24e1602a442c5c28f5ff

Download Submit
memory/1944-4-0x0000000000000000-mapping.dmp

Download
memory/2040-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads