cobaltstrike

General

Target

4ee1208e8bd7b6500241d6814c6f2700712ebe790cb428099e40150c9df8bae0
Size

671KB
Sample

220923-dgmqqsggfm
MD5

e2dbfc3fcba290fbf627f7fdb9f9af11
SHA1

7fede9b51e68652f904f5a968779c9dbdd9df751
SHA256

4ee1208e8bd7b6500241d6814c6f2700712ebe790cb428099e40150c9df8bae0
SHA512

4c52b75b3c91118f0b870961b9a12125879d29d4c04400eebb3270aac7ac9ce2b8b43079eb6ef15d09ce2e59c61ff8e74f349ed1ebc20bc27ad2893e8059272b
SSDEEP

12288:eBFejy0yoPjfvTXFTYgsfL4eWX0jE/qjifBkBFejy0yoPjfvTXFTYgsfL4eWX0jX:811odReWXR/WUBC11odReWXR/WUBs

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

C2

http://open.th1sworld.ga:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
open.th1sworld.ga,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyuDnaczPLBZEHfKiN3TGpwWK1FHrBVAsFbLKMYJW87Gbp7TFql1RiVaSCwSwW74QgvPgjj21ILLmuFv0iba4cf1Fb9XS8nWThYCtJZSha1I/BE8bXZ2BtCIk3YKb8pkNR3MAbKX45HCmccM9vyBeZfWEc8E4CMTINHyPJevtSFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.184478976e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
666666

Targets

- Target
  
  服务器架构及规划说明.com
- Size
  
  725KB
- MD5
  
  ff21732afcff0761880966cb73498f37
- SHA1
  
  1dabd85046019672c83aa27e962a8e723460f67a
- SHA256
  
  ed8b2627ba8a708b78f5dc8da4fe73aecc030482cbbbe73cb8e89e36475be70e
- SHA512
  
  6e343f1950b0a19ae08efcd1d0711d01615e9874f262a845ec6e47a5323a6b75c7ad99e770bf3fd7a2773096a540e8ec842c63703dba8c25f422bfd8178baf5b
- SSDEEP
  
  12288:WXsy4wauAlLKUj6jTo+s7AMC1WBvEG6rgc39okWh+XCEz/ZkiWVN62l78LZ6pwKd:EayCFYh+FjDc8dFEUlVZ
Score

10^/10

cobaltstrike 666666 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  服务器采购配置单列表.com
- Size
  
  725KB
- MD5
  
  ff21732afcff0761880966cb73498f37
- SHA1
  
  1dabd85046019672c83aa27e962a8e723460f67a
- SHA256
  
  ed8b2627ba8a708b78f5dc8da4fe73aecc030482cbbbe73cb8e89e36475be70e
- SHA512
  
  6e343f1950b0a19ae08efcd1d0711d01615e9874f262a845ec6e47a5323a6b75c7ad99e770bf3fd7a2773096a540e8ec842c63703dba8c25f422bfd8178baf5b
- SSDEEP
  
  12288:WXsy4wauAlLKUj6jTo+s7AMC1WBvEG6rgc39okWh+XCEz/ZkiWVN62l78LZ6pwKd:EayCFYh+FjDc8dFEUlVZ
Score

10^/10

cobaltstrike 666666 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in System32 directory

Suspicious use of SetThreadContext

Cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4