cobaltstrike

General

Target

2021-09-13-decoded-script-from-23.106.123.219-adsgfsdfdfghdf.txt
Size

273KB
Sample

210913-z6dp1sheaj
MD5

3963abbca3932a7d1e2b77cef1f6d57e
SHA1

803bc9645482b0900168693194ee22a6c4195c82
SHA256

2234da3184d660707007c5d8db49d3a5a8af51e4b346606a4845d87decf330e3
SHA512

2ab3c10c02e56ae0e1828ba8e8ad615955e995aa5a8598e6e6ef9b7c9405d70d4c473c6e9fb790c15c1f664f48cf744dd647fa6c44c9888789529a224d07aa95

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://23.106.123.219:80/btn_bg.html

Attributes

access_type
512
host
23.106.123.219,/btn_bg.html
http_header1
AAAAEAAAAB5Ib3N0OiBtaWNyYXNvZnRlZGdldXBkYXRlci5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABJBY2NlcHQ6IGltYWdlL2pwZWcAAAAHAAAAAAAAAAgAAAADAAAAAgAAAAVIU0lEPQAAAAYAAAAGQ29va2llAAAACQAAAAxjb250YWN0PXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBtaWNyYXNvZnRlZGdldXBkYXRlci5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAACVBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCO3E9MC45LCAqO3E9MC43AAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACwAAAAMAAAACAAAACHJlcGxhY2U9AAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
60996
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJvC2CQYaIouT41kXKVNrM5lLvclGJRE+i3ves+vC0AADUWTPs64Dn/B4eKlQKPpbC/8IgJjadD/B9pZiY8XUlk4dvaagLdjBCq7uSxS+KhVVsX46LBSBgIxaE4AeoZvwBD2n0wdeeI2sbkMvDhhv5s6Nmz12sAtOVGdr8cX3s5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.1158912e+08
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/us
user_agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
watermark
1359593325

Targets

- Target
  
  2021-09-13-decoded-script-from-23.106.123.219-adsgfsdfdfghdf.txt
- Size
  
  273KB
- MD5
  
  3963abbca3932a7d1e2b77cef1f6d57e
- SHA1
  
  803bc9645482b0900168693194ee22a6c4195c82
- SHA256
  
  2234da3184d660707007c5d8db49d3a5a8af51e4b346606a4845d87decf330e3
- SHA512
  
  2ab3c10c02e56ae0e1828ba8e8ad615955e995aa5a8598e6e6ef9b7c9405d70d4c473c6e9fb790c15c1f664f48cf744dd647fa6c44c9888789529a224d07aa95
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2