cobaltstrike | ae31ab2f96f9b35857a88e8e8c44822d54d9ee0211e46d57a3c0794aa3546d01 | Triage

Sharing

General

Target

ae31ab2f96f9b35857a88e8e8c44822d54d9ee0211e46d57a3c0794aa3546d01
Size

1.5MB
Sample

220420-tmvljaghg2
MD5

9b16f5b48c3cb39f41052d557b86803b
SHA1

a5c125c2783d19af707a3b848d461f01c9cc65d4
SHA256

ae31ab2f96f9b35857a88e8e8c44822d54d9ee0211e46d57a3c0794aa3546d01
SHA512

4af99dd69d3e2ec3dc49155994a3fd00ee6305656aa21baedce51c6dc3cec110a99e2f05a56613d03d9a495b15f97eb893a18c7bc210db04932e963821ce2d55

Score

10^/10

cobaltstrike 1873433027 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1873433027

C2

http://39.97.118.130:6666/match

Attributes

access_type
512
host
39.97.118.130,/match
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
6666
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBiQE/xOBcg+FAwn8rcVU1ghqb2ESpQIHnTFYhQhs22ivyoBEwsNs7pdUwf9remGc4wmg/DzAp7E6MA/h+Zhu/bNK1QvpoMrxmaYWC7Anfp5Z5XjmGeP+5++/Dx58X9ttvM2hN+GdWoVd7p/GFP3mf4zVW2/TT99/mpO6bcRtPoQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; LBBROWSER)
watermark
1873433027

Targets

- Target
  
  ae31ab2f96f9b35857a88e8e8c44822d54d9ee0211e46d57a3c0794aa3546d01
- Size
  
  1.5MB
- MD5
  
  9b16f5b48c3cb39f41052d557b86803b
- SHA1
  
  a5c125c2783d19af707a3b848d461f01c9cc65d4
- SHA256
  
  ae31ab2f96f9b35857a88e8e8c44822d54d9ee0211e46d57a3c0794aa3546d01
- SHA512
  
  4af99dd69d3e2ec3dc49155994a3fd00ee6305656aa21baedce51c6dc3cec110a99e2f05a56613d03d9a495b15f97eb893a18c7bc210db04932e963821ce2d55
Score

10^/10

cobaltstrike 1873433027 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrike1873433027backdoortrojan

behavioral2

cobaltstrike1873433027backdoortrojan