cobaltstrike | b48d3ae5fa7696774dfdad64078ca260f5121c03fca80fc53c0caf0bf346aeb1

General

Target

btc.exe
Size

161KB
MD5

0555493303b805edc68e153d013e6b30
SHA1

4c5a730e08120aac73369a893239268c56265d97
SHA256

b48d3ae5fa7696774dfdad64078ca260f5121c03fca80fc53c0caf0bf346aeb1
SHA512

4f7cdc3183e6868128d65ce1fb3062a638fd45108a263030654adaa6f2d3054753b4d8d6c40b12a76a988ae546f4604ea5e4e0f30312c6e7d49d9827eb98753e

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://www.impulse-static.com:443/site/content/jquery-3.3.1.slim.min.js

Extracted

Family

cobaltstrike

C2

http://www.impulse-static.com:443/site/jquery-3.3.1.min.js

http://www.shark-knifes.com:443/site/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
3.7054228e+09
dns_sleep
0
host
www.impulse-static.com,/site/jquery-3.3.1.min.js,www.shark-knifes.com,/site/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuZ2l0aHViLmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuZ2l0aHViLmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
5888
maxdns
255
month
0
pipe_name
polling_time
10000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIWFGzNKTst4Ksfub0bQSX5/CUWz/iN8e3Xl47TQNwtX9sqe1eYQ+J+W3Oc5ed0KqxL43LuWKHIn3o9ilVAqQ7zJFDyNWIwqjccImGdt8B7ktOmxuvzmxJvBN3Eg4PhcJQP82MsxB+F5QJuJ8rAxfzwhhewLHOf5vm9fnXH05ERwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
1
uri
/site/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of SetThreadContext 1 IoCs

Processes:

btc.exe

description pid process target process

PID 1028 set thread context of 476 1028 btc.exe btc.exe

description	pid	process	target process
PID 1028 set thread context of 476	1028	btc.exe	btc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

btc.exe

description	pid	process	target process
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe
PID 1028 wrote to memory of 476	1028	btc.exe	btc.exe

C:\Users\Admin\AppData\Local\Temp\btc.exe
"C:\Users\Admin\AppData\Local\Temp\btc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\btc.exe
"C:\Users\Admin\AppData\Local\Temp\btc.exe"
2⤵
PID:476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/476-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/476-5-0x00000000004014B0-mapping.dmp

Download
memory/476-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/476-7-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/476-8-0x0000000003E00000-0x0000000004272000-memory.dmp

Filesize
4.4MB

Download
memory/476-9-0x0000000003E00000-0x0000000004272000-memory.dmp

Filesize
4.4MB

Download
memory/1028-2-0x00000000006B9000-0x00000000006BA000-memory.dmp

Filesize
4KB

Download
memory/1028-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads