cobaltstrike | 903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84

Analysis

Target

903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe
Size

15KB
MD5

c41a4cb7f0043990da075f222ecbc33d
SHA1

580d88e2e503322c259c93dcbd2052e5c8cae0d7
SHA256

903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84
SHA512

ee6202b44c34961dc3f14e00a4bd94fcbd36268852786440cdd530f32be40c3937a601751f580592fca8cf9ffe4ddb3ec928df5e3d53e7435d24c6ad643186aa

Score

10^/10

Family

cobaltstrike

http://192.168.0.102:8080/p2uF

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of SetThreadContext 1 IoCs

Processes:

903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe

description	pid	process	target process
PID 2024 set thread context of 1440	2024	903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe	conhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe

description	pid	process	target process
PID 2024 wrote to memory of 1440	2024	903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe	conhost.exe
PID 2024 wrote to memory of 1440	2024	903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe	conhost.exe
PID 2024 wrote to memory of 1440	2024	903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe	conhost.exe
PID 2024 wrote to memory of 1440	2024	903dbd72c1732e86c04836468cca542a83a118b17a1767b02c2137059210df84.exe	conhost.exe

memory/1440-55-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1440-56-0x0000000000000000-mapping.dmp

Download
memory/1440-57-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/2024-54-0x000000013FD50000-0x000000013FD58000-memory.dmp

Filesize
32KB

Download