cobaltstrike | cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282

General

Target

cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
Size

359KB
MD5

57bf3c874ff8ed969f1143fa2062ae10
SHA1

ae0ca9ae228e02e4ade519522fa138b9ddcf140d
SHA256

cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282
SHA512

327ca8b68cd2a66bf5d48c1a08fd1c8d0028994c1919c2a395603bb1b63548cf272336e85d9c24ab89c875c981dfd98068bdf5eca80379781daebc67944c1e1c

Score

10^/10

cobaltstrike 3 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

3

C2

http://37.48.83.137:443/IE9CompatViewList.xml

Attributes

access_type
512
beacon_type
2048
host
37.48.83.137,/IE9CompatViewList.xml
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpyVsNxvUnU8+DBd95pLv9P5RIcadvZxqLJrbqCn7Tuy1K2KKdrcdB89aQG1HLXb8b4r8uYhWAwS4zVb7OoPqt+hD7AaC9q2YO1UDVBkQyyiQIiF0EzFdW39S7nkjPLecVHM1Otym5AZMjhT4vOfsp3M14yORvFdco/8xwP3sjDwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)
watermark
3

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe

description	pid	process	target process
PID 308 set thread context of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe

description	pid	process	target process
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
PID 308 wrote to memory of 1788	308	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe	cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe

C:\Users\Admin\AppData\Local\Temp\cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
"C:\Users\Admin\AppData\Local\Temp\cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe
  "C:\Users\Admin\AppData\Local\Temp\cf114f501904c9338cb494b7241831d10898e771b9133e069de114e42a974282.exe"
  2⤵
  PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-61-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1788-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-60-0x00000000004014B0-mapping.dmp

Download
memory/1788-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-63-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/1788-64-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1788-65-0x0000000000490000-0x00000000004D5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing