cobaltstrike | b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd | Triage

Sharing

General

Target

b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd
Size

1.7MB
Sample

221020-pq47xsdha3
MD5

0946f27e7ea817515c57de10d31be260
SHA1

265719038b95611c8df9064035533ea35cd0d18c
SHA256

b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd
SHA512

5bf84b2a704d7bb021c5639aa40f9bc3d093ef251ed0b9d33824560e98efa21188982bdfcea80e45a06587634d0022a77207c2c4a1338daeb1be016d05177bac
SSDEEP

49152:ZNTfjbw1drCTM3HS5LedtQSXyqmx44Vbx4I11ts3DT5BbYiH:L7bwbmTyHS5LedtHbmxzVbx4I11tsTtf

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://114.132.241.103:443/admin/login

Attributes

access_type
512
beacon_type
2048
host
114.132.241.103,/admin/login
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/admin/user
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd
- Size
  
  1.7MB
- MD5
  
  0946f27e7ea817515c57de10d31be260
- SHA1
  
  265719038b95611c8df9064035533ea35cd0d18c
- SHA256
  
  b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd
- SHA512
  
  5bf84b2a704d7bb021c5639aa40f9bc3d093ef251ed0b9d33824560e98efa21188982bdfcea80e45a06587634d0022a77207c2c4a1338daeb1be016d05177bac
- SSDEEP
  
  49152:ZNTfjbw1drCTM3HS5LedtQSXyqmx44Vbx4I11ts3DT5BbYiH:L7bwbmTyHS5LedtHbmxzVbx4I11tsTtf
Score

10^/10

cobaltstrike 0 305419896 backdoor trojan upx
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrike0305419896backdoortrojanupx

behavioral2

cobaltstrike0305419896backdoortrojanupx