cobaltstrike | 1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2

General

Target

1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Size

202KB
MD5

4365a73b7ddbdff6e25bfcbb3778918b
SHA1

5bb622f8e35dcad4bf939884b5e62a76f4cebfc1
SHA256

1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
SHA512

0bac9b01bd02336b0d9e72dc75a2ec374cd41a4e40f3566a35002ab968cbc230afaeac8a32a43768288a8698ba3769bb3e457e22271bb0f86bdfc5fa2b8007d8

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://ns.2018test.com:80/ca

http://ns1.2018test.com:80/ga.js

Attributes

access_type
512
beacon_type
256
create_remote_thread
256
day
0
dns_idle
0
dns_sleep
0
host
ns.2018test.com,/ca,ns1.2018test.com,/ga.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
60000
port_number
80
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgNfIU8hRaf78nQi6sA2J+cdQ2zlAluBmtXKo90Lnri1l6cI2PzT4pncx1dyOe2SHQLEN8jx5j3b88Q64TirXQ7jgt+oLQcU8S5qt3tbflGp8mz6sI4WPwtp8ZgUctyPPYD1PPXRop/GCoJw1G6MOusZo+jCChd2PDYQ+KAN+c8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
256
unknown5
0
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 4 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1048-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1048-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1048-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1048-5-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2136 1048 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2136	1048	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2136 WerFault.exe
Token: SeBackupPrivilege 2136 WerFault.exe
Token: SeDebugPrivilege 2136 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2136	WerFault.exe
Token: SeBackupPrivilege	2136	WerFault.exe
Token: SeDebugPrivilege	2136	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 936 wrote to memory of 1048	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 1048	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 1048	936	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#1
2⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-0-0x0000000000000000-mapping.dmp

Download
memory/1048-2-0x0000000000000000-mapping.dmp

Download
memory/1048-3-0x0000000000000000-mapping.dmp

Download
memory/1048-4-0x0000000000000000-mapping.dmp

Download
memory/1048-5-0x0000000000000000-mapping.dmp

Download
memory/2136-1-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2136-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads