cobaltstrike | f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f | Triage

Sharing

General

Target

f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
Size

4.0MB
Sample

220113-lwhz4ahccl
MD5

7669f00b467e2990be182584b341c0e8
SHA1

2eaa91f38461d708ee6e94ec2f738f3cdfb229b7
SHA256

f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
SHA512

46f70fe999b4461dd6b3cec4bc10ba6389f7f9c3aa685acf0830bd3c8c66d6474b77f2487496455e52b36905c39fc648b28bb72dd9e782a7d77d5b9cd33da560

Score

10^/10

cobaltstrike 0 666 backdoor evasion themida trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://cofeeloveers.com:443/image/

Attributes

access_type
512
beacon_type
2048
dns_idle
6.7373064e+07
dns_sleep
8.1297408e+08
host
cofeeloveers.com,/image/
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5120
maxdns
235
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\dfrgui.exe
sc_process64
%windir%\sysnative\dfrgui.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+r+/ykAr2nRnQhGrS75YAUEbQAmNGkJlaJe92kB/VjTIauKLqrs3M0F5alC13I5xp4joeb0Xvewl/f2Hh9+IL5XHSODfjnbnsVyeX2pe2Z2tBJ9eq/NRNNsdPXkmPKhnkL95Uslczv8YVeu/uapbGAmuLctlo+M78SHN9SGHeAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.2384e+09
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/temp/
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
watermark
666

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
- Size
  
  4.0MB
- MD5
  
  7669f00b467e2990be182584b341c0e8
- SHA1
  
  2eaa91f38461d708ee6e94ec2f738f3cdfb229b7
- SHA256
  
  f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
- SHA512
  
  46f70fe999b4461dd6b3cec4bc10ba6389f7f9c3aa685acf0830bd3c8c66d6474b77f2487496455e52b36905c39fc648b28bb72dd9e782a7d77d5b9cd33da560
Score

10^/10

cobaltstrike 0 666 backdoor evasion trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrike0666backdoorevasiontrojan

behavioral2

cobaltstrike0666backdoorevasiontrojan