Overview

overview

10

Static

static

1d54d3f24a...63.exe

windows7_x64

10

1d54d3f24a...63.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d54d3f24ab1b519686ca128d7e62743d69dfc369673fe2f97d54652a18cca63

  • Size

    4.4MB

  • Sample

    220708-fh43hsacaq

  • MD5

    1b30ffe5cef13b9f305e354b68c79033

  • SHA1

    5ffeaee80149b31a61b19f4d73e4803c7f600f1a

  • SHA256

    1d54d3f24ab1b519686ca128d7e62743d69dfc369673fe2f97d54652a18cca63

  • SHA512

    7bd7fa27fb508c6ed613458900432793d58b8aaa6d8655de819d652ddcaf763039676d44b7b024f8d235edb1ad1cbde6ed493114f0af5541a72583332d9d843b

Score
10/10
cobaltstrike123456789backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://service-0rucgxnl-1307188804.sh.apigw.tencentcs.com:443/icon.ico

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

123456789

C2

http://service-0rucgxnl-1307188804.sh.apigw.tencentcs.com:443/search

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-0rucgxnl-1307188804.sh.apigw.tencentcs.com,/search

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2560

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCL5paOYS4Ch1fPxUdk++MXZjFcM7wZwYlNISngRRx0nzl6odYr1pwKR6WAmtf/nWNps+lMhviFYU76dlCjUSHGk6vwoR6YuaS9D93tuFZyzco4ZX6jzlWrKLN9Gl/uC0/9tu6h1DtZ8xBeH0UBeP8+KgzTvXRgdYQq0l0/UaWD1QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.82554112e+09

  • unknown2

    AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /switch

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

  • watermark

    123456789

Targets

    • Target

      1d54d3f24ab1b519686ca128d7e62743d69dfc369673fe2f97d54652a18cca63

    • Size

      4.4MB

    • MD5

      1b30ffe5cef13b9f305e354b68c79033

    • SHA1

      5ffeaee80149b31a61b19f4d73e4803c7f600f1a

    • SHA256

      1d54d3f24ab1b519686ca128d7e62743d69dfc369673fe2f97d54652a18cca63

    • SHA512

      7bd7fa27fb508c6ed613458900432793d58b8aaa6d8655de819d652ddcaf763039676d44b7b024f8d235edb1ad1cbde6ed493114f0af5541a72583332d9d843b

    Score
    10/10
    cobaltstrike123456789backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks