cobaltstrike | 8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8

General

Target

beacon.exe
Size

14KB
MD5

2d0e28316e3f60de63654609f3a1b297
SHA1

99e64215ea6f3027dc1928ac26443953c8f5294d
SHA256

8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8
SHA512

481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713

Score

10^/10

cobaltstrike 1 backdoor suricata trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm

Attributes

user_agent
Accept: */* Connection: Keep-Alive Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 Host: qb.awotj.com

Extracted

Family

cobaltstrike

Botnet

1

C2

http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d

Attributes

access_type
512
host
qb.awotj.com,/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAXQ29udGVudC1UeXBlOiBpbWFnZS9wbmcAAAAJAAAADW9lPUlTTy04ODU5LTEAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MTEyNAAAAAkAAAAmZF9yZWZlcmVyPWh0dHAlM0ElMkYlMkZiYW5rLnBpbmdhbi5jb20AAAAHAAAAAQAAAAMAAAACAAAABIlQTkcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
5500
port_number
80
sc_process32
%windir%\syswow64\w32tm.exe
sc_process64
%windir%\sysnative\w32tm.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRpwp8UKDSrLYmg1T8qsKaBTiSXmGzJsxjfT1zSQAP4VsmBXHqnwIcuUrjaAfl0yFmxYlo2kUpHgGryMxFXKaFfanzRs+TOYzHMW1p5kwzLgwsHY7GPfVUG1mVTpq3WIFkQ6ltcRC79FXrjKSlcQbTMZXNg/aQ3C9F0HAZzpNnBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.515525376e+09
unknown2
AAAABAAAAAIAAAAEAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/pacom003/person/ithelp/bug/list
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

5 1476 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1476 set thread context of 700 1476 rundll32.exe w32tm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 700 WerFault.exe w32tm.exe

flow	pid	process
5	1476	rundll32.exe

description	pid	process	target process
PID 1476 set thread context of 700	1476	rundll32.exe	w32tm.exe

pid	pid_target	process	target process
840	700	WerFault.exe	w32tm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

beacon.exerundll32.exew32tm.exe

description	pid	process	target process
PID 1604 wrote to memory of 1476	1604	beacon.exe	rundll32.exe
PID 1604 wrote to memory of 1476	1604	beacon.exe	rundll32.exe
PID 1604 wrote to memory of 1476	1604	beacon.exe	rundll32.exe
PID 1604 wrote to memory of 1476	1604	beacon.exe	rundll32.exe
PID 1476 wrote to memory of 700	1476	rundll32.exe	w32tm.exe
PID 1476 wrote to memory of 700	1476	rundll32.exe	w32tm.exe
PID 1476 wrote to memory of 700	1476	rundll32.exe	w32tm.exe
PID 1476 wrote to memory of 700	1476	rundll32.exe	w32tm.exe
PID 700 wrote to memory of 840	700	w32tm.exe	WerFault.exe
PID 700 wrote to memory of 840	700	w32tm.exe	WerFault.exe
PID 700 wrote to memory of 840	700	w32tm.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\beacon.exe
"C:\Users\Admin\AppData\Local\Temp\beacon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\w32tm.exe
C:\Windows\system32\w32tm.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 700 -s 140
4⤵
- Program crash
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-64-0x00000000000E0000-0x0000000000111000-memory.dmp

Filesize
196KB

Download
memory/700-67-0x00000000000E0000-mapping.dmp

Download
memory/700-66-0x00000000000E0000-0x0000000000111000-memory.dmp

Filesize
196KB

Download
memory/840-68-0x0000000000000000-mapping.dmp

Download
memory/1476-61-0x0000000001CC0000-0x0000000001D0E000-memory.dmp

Filesize
312KB

Download
memory/1476-60-0x0000000001CC0000-0x0000000001D0E000-memory.dmp

Filesize
312KB

Download
memory/1476-62-0x0000000002BA0000-0x0000000002FA0000-memory.dmp

Filesize
4.0MB

Download
memory/1476-63-0x0000000002190000-0x00000000021A9000-memory.dmp

Filesize
100KB

Download
memory/1476-59-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmp

Filesize
8KB

Download
memory/1476-57-0x0000000000000000-mapping.dmp

Download
memory/1476-55-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1476-69-0x00000000020F0000-0x0000000002105000-memory.dmp

Filesize
84KB

Download
memory/1604-54-0x000000013F600000-0x000000013F608000-memory.dmp

Filesize
32KB

Download
memory/1604-58-0x00000000023C0000-0x00000000023C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads