Overview

overview

10

Static

static

4e9580ffb8...dd.ps1

windows7_x64

10

4e9580ffb8...dd.ps1

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1

  • Size

    6KB

  • Sample

    220125-l1vvfsdeem

  • MD5

    c32ebbb82ca3f2587dc411aa2c17c8cd

  • SHA1

    2b3a67f341f09bc736f0257b8e34a2f350a817bc

  • SHA256

    4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd

  • SHA512

    84c99f25682cce38fdb14f2d2f126768d387758e766f3731d5146812afa7b8ac0f602ab1db75b7096964cbae8895ccd8f3cef7f802df803d2d273eedbaf459e3

Score
10/10
cobaltstrike426352781backdoorsuricatatrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://208.87.206.140:1443/TVZY

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://208.87.206.140:1443/IE9CompatViewList.xml

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    208.87.206.140,/IE9CompatViewList.xml

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    1443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRBsKRFE/mNvtYDYKs30r+2hJYGhV87My0blRS9rU9SOcXg6EaLjgrVv208ZNEeFKuARdAV7SpsrlidYeqPDKbTwpzK1NRjkz6uDh50eAR1xqR/uCQZr6MVUNuLHCHMtnt84d4D7trq1zVEFHz2SphTjFZC/VjGQeqyoKc2uSyZwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)

  • watermark

    426352781

Targets

    • Target

      4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1

    • Size

      6KB

    • MD5

      c32ebbb82ca3f2587dc411aa2c17c8cd

    • SHA1

      2b3a67f341f09bc736f0257b8e34a2f350a817bc

    • SHA256

      4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd

    • SHA512

      84c99f25682cce38fdb14f2d2f126768d387758e766f3731d5146812afa7b8ac0f602ab1db75b7096964cbae8895ccd8f3cef7f802df803d2d273eedbaf459e3

    Score
    10/10
    cobaltstrike426352781backdoorsuricatatrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks