cobaltstrike | 4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8

General

Target

4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe
Size

844KB
MD5

3dfc20d3780cb61f0654ef3116bdc8bb
SHA1

5efe6acfb7e80c23f5734b020578f032342fc77d
SHA256

4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8
SHA512

227904c9efe3ded15599ab1a555aee56721fc0059a0c8b4c42dee5c8c6208434b4ed72c0d878c98c21fec0695569e98fb99fb4781f88fa3eca7256bb560abd90

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://fashmie.com:443/assets/environment-f0a84e0c1.js

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
fashmie.com,/assets/environment-f0a84e0c1.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAbUmVmZXJlcjogaHR0cDovL2dvb2dsZS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAAE19fQ2h1bmtTZXNzaW9uRGF0YT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAQX19DaHVua0F1dGhUb2tlbgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
injection_process
jitter
9472
maxdns
0
month
0
pipe_name
polling_time
25000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\dllhost1.exe
sc_process64
%windir%\sysnative\dllhost1.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDa14pI+KHc4hacVJaYyMZHO0bzpDtNhP+JNn5mApEDAj9xpSHnp8rVq0Ekc9691bMZnfxnHdhxmXcSdPtBtI/nTtBlOnO/FZx9YuRssfXOP63XJ5eosw0DH6V5MM5EtAGUAlxGRS0okFP14AH9ACPjPhNXKgUhfGoWfDbnpwJnQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.3969984e+09
unknown2
AAAABAAAAAEAAAAyAAAAAgAAACQAAAACAAAlGQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
0
uri
/assets/chunk-vendor-4c69db4f.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe

description	pid	process	target process
PID 1080 wrote to memory of 2024	1080	4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe	upnpcont.exe
PID 1080 wrote to memory of 2024	1080	4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe	upnpcont.exe
PID 1080 wrote to memory of 2024	1080	4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe	upnpcont.exe
PID 1080 wrote to memory of 2024	1080	4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe	upnpcont.exe

C:\Users\Admin\AppData\Local\Temp\4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe
"C:\Users\Admin\AppData\Local\Temp\4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\upnpcont.exe
upnpcont.exe
2⤵
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1080-63-0x0000000001D60000-0x0000000001E1F000-memory.dmp

Filesize
764KB

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download
memory/2024-62-0x0000000001C90000-0x0000000002102000-memory.dmp

Filesize
4.4MB

Download
memory/2024-64-0x0000000000060000-0x00000000000A0000-memory.dmp

Filesize
256KB

Download
memory/2024-65-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/2024-66-0x0000000001C90000-0x0000000002102000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing