General
Target

beacon.exe

Size

14KB

Sample

220331-rjdgqshbfm

Score
10/10
MD5

2d0e28316e3f60de63654609f3a1b297

SHA1

99e64215ea6f3027dc1928ac26443953c8f5294d

SHA256

8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8

SHA512

481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713

Malware Config

Extracted

Family

cobaltstrike

C2

http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm

Attributes
user_agent
Accept: */* Connection: Keep-Alive Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 Host: qb.awotj.com

Extracted

Family

cobaltstrike

Botnet

1

C2

http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d

Attributes
access_type
512
host
qb.awotj.com,/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAXQ29udGVudC1UeXBlOiBpbWFnZS9wbmcAAAAJAAAADW9lPUlTTy04ODU5LTEAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MTEyNAAAAAkAAAAmZF9yZWZlcmVyPWh0dHAlM0ElMkYlMkZiYW5rLnBpbmdhbi5jb20AAAAHAAAAAQAAAAMAAAACAAAABIlQTkcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
5500
port_number
80
sc_process32
%windir%\syswow64\w32tm.exe
sc_process64
%windir%\sysnative\w32tm.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRpwp8UKDSrLYmg1T8qsKaBTiSXmGzJsxjfT1zSQAP4VsmBXHqnwIcuUrjaAfl0yFmxYlo2kUpHgGryMxFXKaFfanzRs+TOYzHMW1p5kwzLgwsHY7GPfVUG1mVTpq3WIFkQ6ltcRC79FXrjKSlcQbTMZXNg/aQ3C9F0HAZzpNnBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.515525376e+09
unknown2
AAAABAAAAAIAAAAEAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/pacom003/person/ithelp/bug/list
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177
watermark
1
Targets
Target

beacon.exe

MD5

2d0e28316e3f60de63654609f3a1b297

Filesize

14KB

Score
10/10
SHA1

99e64215ea6f3027dc1928ac26443953c8f5294d

SHA256

8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8

SHA512

481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713

Tags

Signatures

  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

    Tags

  • suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

    Description

    suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

    Tags

  • Blocklisted process makes network request

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Tasks

                          static1

                          Score
                          N/A

                          behavioral1

                          Score
                          10/10

                          behavioral2

                          Score
                          10/10