cobaltstrike | 42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f | Triage

Sharing

General

Target

42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
Size

3.0MB
Sample

220704-kc9s2afffq
MD5

83d7f0fe8d269f04c7665c0b6cbb8ada
SHA1

902921743f59ff19eeb395d2618ef5addeac62fd
SHA256

42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
SHA512

c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.111.170.180:8888/load

Attributes

access_type
512
host
47.111.170.180,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8888
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCepxWkRvKff9aSr8NJNjICKAfOAkCwiFfvggEjm6rsOd85r6J2MO/aflKXRMu6HUJ7YdYYiTR4AqWEq0crzforQfGXDqJ355NO17M/jGAEtdClSmPsH/w3g3OgnEq4mk086l68Kw0uE3i/neDyRh+nRllGEVlzNToWUJqwR2asBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
- Size
  
  3.0MB
- MD5
  
  83d7f0fe8d269f04c7665c0b6cbb8ada
- SHA1
  
  902921743f59ff19eeb395d2618ef5addeac62fd
- SHA256
  
  42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
- SHA512
  
  c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb
Score

10^/10

cobaltstrike 0 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cobaltstrike0305419896backdoortrojan