cobaltstrike

General

Target

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
Size

832KB
Sample

220705-mhma2aabe2
MD5

8f978a1a3775eee75434257415c5018d
SHA1

d632e4dd9212f8b021e52980f8e4d8d8ab2e255a
SHA256

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
SHA512

0bb2a735dbe379f285ecfcc9d3e415e06db805bf529920654ee94a84a15e73f47b76392dfe3eeebba9b2f743e81296f905d528fc5a9f445dc7ef30797ddb259a

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.223.216.170:9443/URjK

Targets

- Target
  
  bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
- Size
  
  832KB
- MD5
  
  8f978a1a3775eee75434257415c5018d
- SHA1
  
  d632e4dd9212f8b021e52980f8e4d8d8ab2e255a
- SHA256
  
  bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
- SHA512
  
  0bb2a735dbe379f285ecfcc9d3e415e06db805bf529920654ee94a84a15e73f47b76392dfe3eeebba9b2f743e81296f905d528fc5a9f445dc7ef30797ddb259a
Score

10^/10

cobaltstrike metasploit backdoor suricata trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- suricata: ET MALWARE Cobalt Strike Beacon Observed
  suricata: ET MALWARE Cobalt Strike Beacon Observed
  suricata
- suricata: ET MALWARE Generic .bin download from Dotted Quad
  suricata: ET MALWARE Generic .bin download from Dotted Quad
  suricata
- suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
  suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
  suricata
- suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
  suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
  suricata
- suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
  suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

MetaSploit

suricata: ET MALWARE Cobalt Strike Beacon Observed

suricata: ET MALWARE Generic .bin download from Dotted Quad

suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2