cobaltstrike | f01f5fb0137d71bbaa7e2762e6e92d9b8fdb56d16b60c332b7e0a897c6205f31 | Triage

Sharing

General

Target

20220124svchost.zip
Size

4.2MB
Sample

220125-k2p5xscfek
MD5

73e10501b54e3ed8024f4882ef5f3cff
SHA1

08372e11394b25eedbb84f3cc3fd915d0be5ad14
SHA256

f01f5fb0137d71bbaa7e2762e6e92d9b8fdb56d16b60c332b7e0a897c6205f31
SHA512

781c39a32409261bdcefebc50b18f7c52549751835839216cb2e03727a6bc05ca4cfcd34e4dfa58f1dbbf2b08025092d244b4ca81bb2a6e30c38b051ef66e52f

Score

10^/10

cobaltstrike 999999 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

C2

http://dash.139pro.com:8880/w/static/js/app.clf44eeb.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: dash.139pro.com Referer: http://www.bing.com/ Accept-Encoding: deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0

Extracted

Family

cobaltstrike

Botnet

999999

C2

http://dash.139pro.com:8880/w/static/js/chunk-vendors.811798f9.js

Attributes

access_type
512
host
dash.139pro.com,/w/static/js/chunk-vendors.811798f9.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAABJzZW5zb3JzX3N0YXlfdGltZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAARc2Vuc29yc19zdGF5X3RpbWUAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
1000
port_number
8880
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsaux/wtu42BOnD2ggcEwMY95Evz5CW0fQx0ahyfR8HW/DflLHIQ4ewNdq3O0uHj71HDIrT6ChacHhvuDqvs1UD5IxDN8Auubbj3cWEkYrA6iS2wBL6O5uSwelCcOa0+ckWFDTP9ISLCyE5U+hBAj32r4+41KjlyyKZTCfYcog5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.633293568e+09
unknown2
AAAABAAAAAEAAAIlAAAAAgAAAFQAAAACAAACjQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/w/static/js/chunk-vendors.8l1798f9.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
watermark
999999

Targets

- Target
  
  20220124svchost/dllhost.exe
- Size
  
  18KB
- MD5
  
  9361355721f51e3a25df53702d10e9de
- SHA1
  
  635d234b72f097105153a8d24080826e404f9273
- SHA256
  
  1128499ac255bb11f25cd617f766b15f65f9eab1e0a531200c3878e80c96e41e
- SHA512
  
  a73f73d07d8333eff54aef32e12709511b12afb5012affaa00e7276e6a3284ecaba4a27c90a619fbf92478d5080e5d05ea0007597d0204fddf4b9554ef5004c5
Score

1^/10
behavioral1 behavioral2
- Target
  
  20220124svchost/host.exe
- Size
  
  7KB
- MD5
  
  4b7b09158efe990aeae84bffd3495a06
- SHA1
  
  4d5a9a49b22815f344c90e04d8f3536bea29d501
- SHA256
  
  ef9fe61878d9d6ef602dedf8bad61927b8a754886c4923119572117141a87227
- SHA512
  
  90c9bd74c843bcfa0749509ffe0a647ed93318734bed8e68379037ffe84c4200854fd42bd726c8e214f15e1094abcb6cb818c14562bc717a15bcba08a0714d84
Score

10^/10

cobaltstrike 999999 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4
- Target
  
  20220124svchost/svchost.exe
- Size
  
  4.3MB
- MD5
  
  0f13dd7af36816e7af4cfc1d478313f6
- SHA1
  
  c7a80ace11e6ed13c9e7d2362ff0a3a21d11400d
- SHA256
  
  a7b3052896fde162f15e38f0df0dd1535bc75a9b98d907ee9b4b8ed32c759df0
- SHA512
  
  219ec2cc2fab0456755750eea73d9a1e426925fd89c6da6c185c6dabbce28668506f73cef40733152faffc14f25686cd5042610ad79dd0a15b40bb19973b4231
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

cobaltstrike999999backdoortrojan

behavioral4

cobaltstrike999999backdoortrojan

behavioral5

behavioral6