cobaltstrike | 3bcd733dfb7cceaf17b0685876f7b66928cb915ab99424d9d14746e4b622a853

General

Target

PL32.dll
Size

129KB
MD5

6becfb436010b3ddbf4fe7e620c26913
SHA1

20db1ecd4c46cca485017dcb6cab801f90da10e3
SHA256

3bcd733dfb7cceaf17b0685876f7b66928cb915ab99424d9d14746e4b622a853
SHA512

59167af88678f067d3258530f062fd99e3b4a478bfdc34937e187cd662749525a86133a01809ae1d5f90afcdd9368c182671e2ae3169019d0743cbd2b732cf55

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://er.driversna.com:443/media

http://df.driversna.com:443/fo

http://cv.driversna.com:443/media

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
4.5673843e+07
dns_sleep
1.694498816e+09
host
er.driversna.com,/media,df.driversna.com,/fo,cv.driversna.com,/media
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAADmRicHJlZml4PWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAACWRicHJlZml4PQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
10496
maxdns
255
month
0
pipe_name
polling_time
59957
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\regsvr32.exe
sc_process64
%windir%\sysnative\regsvr32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjAX68sewYZJjpqnXffGvEpuKnWAUCV3KlxJ4CoM+2HFSmT00/IHjJUOYEXMrClE5CUDj2v8aGxUtojZBY8FlfcpQ3e57Qu70ZSp2CoiGaMF9vRza/16UqA1giNQESZorQf962VJoNg/SKqWaZC+nFzkaUbDRebBcHK5lCw4qjbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.272630272e+09
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
0
uri
/eo
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1440	1992	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PL32.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\PL32.dll
  2⤵
  PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-1-0x000007FEF6850000-0x000007FEF6ACA000-memory.dmp

Filesize
2.5MB

Download
memory/1440-0-0x0000000000000000-mapping.dmp

Download
memory/1440-2-0x0000000002740000-0x00000000027C2000-memory.dmp

Filesize
520KB

Download
memory/1440-3-0x0000000002740000-0x00000000027C2000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing