cobaltstrike | 7f139e55e24e25c6544a78d48a04400430a3431830e694ee0946d90075ec2a9c

General

Target

svhost.dll
Size

1006KB
MD5

5db0b77b9d1256aa8da7e50955897a41
SHA1

0936e308ce2b644c28000e52ab40b0a1158e6135
SHA256

7f139e55e24e25c6544a78d48a04400430a3431830e694ee0946d90075ec2a9c
SHA512

254e97e4e526b7750abc3619d78325a05fabeeef882b6d4fb623ef30aa00b66d102b49b706c8676be98c98afd8dd2dd1851e4b32aa375f98aba9c4f04a070ce3

Score

10^/10

cobaltstrike metasploit 1359593325 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://silenceel.com:443/components/ml.ico

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://silenceel.com:443/r-arrow

Attributes

access_type
512
beacon_type
2048
host
silenceel.com,/r-arrow
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAADwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAACGxuZz10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAA8AAAADAAAAAgAAAAlpbnRlcnZhbD0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
55765
port_number
443
sc_process32
%windir%\syswow64\svchost.exe
sc_process64
%windir%\sysnative\svchost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg1s8nsVS0MGr4a72S/1h53pgJgOcCI/ILpy3XmwVUZkTkMTi0RMFTYEJ2k6YwvQMwlB1gXHJ/gzfurcgmIW1qLoGlTzCG1G52mWyBvpBN7DOycUxH3Ki8bwBN3q/OZdatBA+9XAPjy1x86ax5nBGQ0tZAtBRDzhLXPu3SZZu/yQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.8457344e+07
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/fo
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; WOW64.1 ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.43 Safari/537.36
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
7	2016	rundll32.exe
8	2016	rundll32.exe
9	2016	rundll32.exe
10	2016	rundll32.exe
11	2016	rundll32.exe
12	2016	rundll32.exe
13	2016	rundll32.exe
14	2016	rundll32.exe
15	2016	rundll32.exe
16	2016	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe
PID 1268 wrote to memory of 2016	1268	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
2⤵
- Blocklisted process makes network request
PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2016-61-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2016-63-0x0000000002D40000-0x0000000003140000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads