cobaltstrike | b735bf8a33209f968ae46a4f632bc07bff6ea83f66130934365b5be363657fd4

General

Target

fd3f386397ab9f626b2888e40a7998c9.exe
Size

6.1MB
MD5

fd3f386397ab9f626b2888e40a7998c9
SHA1

a53c33779e705674531c5bf7af547e54107282f4
SHA256

b735bf8a33209f968ae46a4f632bc07bff6ea83f66130934365b5be363657fd4
SHA512

ce9f20694070d50ed1dee7dfd81b4a6428ad1129804f5ce41b4a0141be097795c197762363c8817041799177c057a9b654b63ea17e053eee65c4616d8858958e

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://103.72.4.166:8443/images/logo_max.png

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://103.72.4.166:8443/images/logo.png

Attributes

access_type
512
beacon_type
2048
host
103.72.4.166,/images/logo.png
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAEAAAAJWWVzQnlwYXNzAAAADwAAAAsAAAANAAAAAgAAABtodHRwczovL3d3dy5iYWlkdS5jb20vcz93ZD0AAAABAAAAHiZpc3NwPTEmdG49YmFpZHVob21lXyZpZT11dGYtOAAAAAYAAAAHUmVmZXJlcgAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAMAAAAPAAAADQAAAAUAAAAGdGlja2V0AAAABwAAAAEAAAADAAAAAQAAAAhJbWJ5cGFzcwAAAA8AAAANAAAAAwAAAAIAAAAlX19FVkVOVFZBTElEQVRJT049QzJFOUFCJl9fVklFV1NUQVRFPQAAAAEAAAAKJnVzZXI9amFjawAAAAQAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYHBQUUh9ez/ut26TEc5mMdd9JANu04+lF5gqDIJCV4uhT+KDwKkIGYCb6MEj4RCw/BKIdq2Imer2/RdSZOjop6khVxVOHRFn4x9crrd9XNMIYbipnacSLhdMMfsO9x1ZAQligc6mld/+SpSB2Z7UwRR9WgF/59HZAVqMtlG459QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.149856768e+09
unknown2
AAAABAAAAAEAAAtfAAAAAgAACL0AAAANAAAAAwAAAAEAAAAKAAAADQAAAAsAAAAIAAAADwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/user/CheckLogin
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 2 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\fd3f386397ab9f626b2888e40a7998c9.exe
"C:\Users\Admin\AppData\Local\Temp\fd3f386397ab9f626b2888e40a7998c9.exe"
1⤵
PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-114-0x000002336F7E0000-0x000002336F7E1000-memory.dmp

Filesize
4KB

Download
memory/4092-115-0x0000023376A10000-0x0000023376E10000-memory.dmp

Filesize
4.0MB

Download
memory/4092-116-0x0000023376E10000-0x0000023376E5C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads