cobaltstrike

General

Target

TestResult.zip
Size

108KB
Sample

210420-jeneqhq132
MD5

f0c5c9785ef63db95c26bd0f8a3c13ea
SHA1

b7786bb7954e4b65b7da2de54a09302d600155bd
SHA256

e04483ab37a7a4fcd87bf84c4115b64bd1ff3ca162d40437a44d0659545bc2af
SHA512

ba96547470eb077d78592b37662761d733e5d74373ffe315f064608ab9b5ad83f3ef593fbfcaa06a52931c9db4d4f2de19b23247a3e129f03962f19d839d9144

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Version

windows/download_exec

C2

http://0x142f6ca3:443/images/IT_Showcase_Webinar_Security_3000x300.jpg

Extracted

Family

cobaltstrike

C2

http://0x142f6ca3:443/munchkin.js

Attributes

access_type
256
beacon_type
2048
host
0x142f6ca3,/munchkin.js
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAABU1VSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAA8AAAADAAAAAgAAAAlta3RvbmFtZT0AAAAEAAAABwAAAAAAAAADAAAAAgAAAANpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
59069
port_number
443
sc_process32
%windir%\syswow64\mobsync.exe
sc_process64
%windir%\sysnative\mobsync.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6O3B28PchczaYlnPWJYrGrCrx6yFYBpvcCVn8LzaF/Ma6fdTr586chcbQgmWYXFUe1NuCgfalGftLZgQB5oDcpcMyWB7MRLMY0BKmF1gpuDHL3FuCOrDVYNFjYPsYTOEENhUv2HRxAo5Z6UXjHf4tTwJSprk7IHUHiRKJ7CXV3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.852972032e+09
unknown2
AAAABAAAAAIAAACmAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/munchkin.marketo.net
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)

Targets

- Target
  
  DocuSign.html
- Size
  
  151KB
- MD5
  
  9b9ad81357a59408205adf90a0ecfd77
- SHA1
  
  dc29234044025144428d9fa5a7b2a7881e7fcd81
- SHA256
  
  2d33b98c1750589a3361aaab5533d224f76b2972f6fca27978f09805ae9b8512
- SHA512
  
  961ebffffdb0e694cc51ba1831bdb9b3e63ff14b01745f342964974b6b495806f98083586be769d8e795b0f692a22013503129c8feb75ec85fef5e47ebee9250
Score

10^/10

cobaltstrike backdoor persistence trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2