cobaltstrike

General

Target

cobaltstrike_shellcode.bin (1).zip
Size

187KB
Sample

201116-sxj923kskx
MD5

e2cfccc39bd989ba47337ba94a6a5ccc
SHA1

fe9bd998cdede8170ee4428004ca84632687b6f0
SHA256

2b0df16d6ea20b06a52e00a4b7bb85d7b18195b28f8bee28c1672946139803c1
SHA512

37e02ce284cd3800f32ff7d66aadd5835258dbab7117d4a13e32a8800f8fe13e906c5d8c8e3cbe542b8040ee0301752552236ddd901440f9f75fe7051e6f4083

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

C2

http://47.91.237.42:8898/IE9CompatViewList.xml

Attributes

access_type
512
host
47.91.237.42,/IE9CompatViewList.xml
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8898
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)

Targets

- Target
  
  cobaltstrike_shellcode.bin
- Size
  
  219KB
- MD5
  
  8e4d8b8796d2188324a0cfd6fdc8de92
- SHA1
  
  9e7a053d34eb00e732e470bc28cc1fa4aa030b8f
- SHA256
  
  1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
- SHA512
  
  db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3
Score

10^/10

cobaltstrike nanocore backdoor evasion keylogger persistence spyware stealer trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds policy Run key to start application
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Adds Run key to start application
  persistence
behavioral1