cobaltstrike | 6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578

General

Target

!.bin.exe
Size

5.2MB
MD5

c1e722db229bd6dd596663f6f08aa654
SHA1

e8f2847b2bc4e1585f47a46161c192caf3978d02
SHA256

6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578
SHA512

b415b68edcc8488f82f1dd9537640b35c22f4321f622cbac59f44fbe22ab36890a3ed13c1bf292c1e417f88ef9d72f79e810cbc114711ed00219304ea341303c

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://101.35.100.211:58888/bEIm

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3412 created 2740 3412 WerFault.exe !.bin.exe
Loads dropped DLL 3 IoCs

Processes:

!.bin.exe

pid process

2740 !.bin.exe
2740 !.bin.exe
2740 !.bin.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3412 2740 WerFault.exe !.bin.exe

description	pid	process	target process
PID 3412 created 2740	3412	WerFault.exe	!.bin.exe

pid	process
2740	!.bin.exe
2740	!.bin.exe
2740	!.bin.exe

pid	pid_target	process	target process
3412	2740	WerFault.exe	!.bin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe
3412	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3412 WerFault.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

!.bin.exe

description pid process target process

PID 2636 wrote to memory of 2740 2636 !.bin.exe !.bin.exe
PID 2636 wrote to memory of 2740 2636 !.bin.exe !.bin.exe

description	pid	process
Token: SeDebugPrivilege	3412	WerFault.exe

description	pid	process	target process
PID 2636 wrote to memory of 2740	2636	!.bin.exe	!.bin.exe
PID 2636 wrote to memory of 2740	2636	!.bin.exe	!.bin.exe

C:\Users\Admin\AppData\Local\Temp\!.bin.exe
"C:\Users\Admin\AppData\Local\Temp\!.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\!.bin.exe
"C:\Users\Admin\AppData\Local\Temp\!.bin.exe"
2⤵
- Loads dropped DLL
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 1032
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26362\MSVCR90.dll
MD5
552cf56353af11ce8e0d10ee12fdcd85

SHA1
6ab062b709f851a9576685fe0410ff9f1a4af670

SHA256
e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

SHA512
122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26362\UUID_loader1.exe.manifest
MD5
5dd7dcf8cf647908b20a69a2f1a9fe15

SHA1
818308c2d53cfd95b4882909e13643852550afca

SHA256
30e4ba7862154d9917f8bfb40c0b752eb74e1b62e2d5b78f21fca794f50987ca

SHA512
674f064bae910f70283f5ce3c9b8a8579cbefc690dbde5aa7636991b36563eae5cdbea572501a866dc29a5082d2d59d3b4b96f6bd0e70a7a530e1fa674702a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26362\_ctypes.pyd
MD5
28e5d05ab42adb1e7ada35f1eef1b32b

SHA1
0792867716c8a933305455a2c7f39d30807dad65

SHA256
a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176

SHA512
0cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26362\python27.dll
MD5
4fc438493188550ea7dfb0cc153b4983

SHA1
2e7e79cee5ca14a584c49d7222cecd4a53beac41

SHA256
2ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc

SHA512
5f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26362\_ctypes.pyd
MD5
28e5d05ab42adb1e7ada35f1eef1b32b

SHA1
0792867716c8a933305455a2c7f39d30807dad65

SHA256
a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176

SHA512
0cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26362\msvcr90.dll
MD5
552cf56353af11ce8e0d10ee12fdcd85

SHA1
6ab062b709f851a9576685fe0410ff9f1a4af670

SHA256
e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

SHA512
122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26362\python27.dll
MD5
4fc438493188550ea7dfb0cc153b4983

SHA1
2e7e79cee5ca14a584c49d7222cecd4a53beac41

SHA256
2ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc

SHA512
5f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e

Download Submit
memory/2740-115-0x0000000000000000-mapping.dmp

Download
memory/2740-123-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads