cobaltstrike

General

Target

WPS_Detect.vir
Size

434KB
Sample

220428-jn857sffdl
MD5

3758f7c11a4026b5f3f6554e15c6fb0b
SHA1

7b247ad343a164d1362ea58e13bd7d50ef958787
SHA256

6fdb106bdfb07990c28c4eac8e7408435496448b2e2fe46747f4867e2d15bb39
SHA512

86e8f50f2a177a733285f68c26a62afc887f5b0faa936113ed0b47d8d5d09bb61192f4132933d5b96325592b37590c9a3b7e2364124748f628a0c090f5447995

Score

10^/10

cobaltstrike 1 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://service-ma764yyz-1307089681.sh.apigw.tencentcs.com:443/jquery/2.0.1/jquery.min.js

Attributes

access_type
512
beacon_type
2048
host
service-ma764yyz-1307089681.sh.apigw.tencentcs.com,/jquery/2.0.1/jquery.min.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu4hIHAdV+JBCprwUCJrNtICROxNWFLuGu4FXxAvxq+FdsTBU9fQGqwWsxYYaDz5p6FtX8yXvYN8YJfHFZ/NI3Z/hNMrkpRk8glF/whX7gD3TTuD4p6sd5dk0Wg2ncQnFnB1fVRsM/VLWVHvOkBHmVrmRlhp0BQ4gOyVIOTzs+JwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.16770176e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAD64AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery/2.0.2/jquery.min.js
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
1

Targets

- Target
  
  WPS_Detect.vir
- Size
  
  434KB
- MD5
  
  3758f7c11a4026b5f3f6554e15c6fb0b
- SHA1
  
  7b247ad343a164d1362ea58e13bd7d50ef958787
- SHA256
  
  6fdb106bdfb07990c28c4eac8e7408435496448b2e2fe46747f4867e2d15bb39
- SHA512
  
  86e8f50f2a177a733285f68c26a62afc887f5b0faa936113ed0b47d8d5d09bb61192f4132933d5b96325592b37590c9a3b7e2364124748f628a0c090f5447995
Score

10^/10

cobaltstrike 1 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2