cobaltstrike | d9c3a30a42fc9eab94ea73eb3844ad91ca5c6e40d72edce617ee166aea42e801 | Triage

Resubmissions

28-10-2022 08:50

221028-krtelafbb7 10

28-10-2022 07:51

221028-jps6dafdal 10

Sharing

General

Target

d9c3a30a42fc9eab94ea73eb3844ad91ca5c6e40d72edce617ee166aea42e801
Size

2.0MB
Sample

221028-jps6dafdal
MD5

102e12d4665f8de8d304114a6afc401a
SHA1

8fdb5d6bd8945002503ad1e0a78c3e33ec285d22
SHA256

d9c3a30a42fc9eab94ea73eb3844ad91ca5c6e40d72edce617ee166aea42e801
SHA512

2164eaf073d4de3fcc2ee594d6355fe1e5a557f2238ea3333d34cfb4c124dbe5cbaf8f5e31a4a6af0813029d07c669c1e025096d3588fa7306a57b96a662cbee
SSDEEP

49152:Luh6Xq6YHFzD+u8sEOTYP4+QUdec1Ij0ev0+On/v9C0umTk/oQXtw1lxk4:zXmHhR1EOcP4+Qtc1Ij0evxOn/v9C0Dr

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://42.192.134.128:80/admin/login

Attributes

access_type
512
host
42.192.134.128,/admin/login
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
5000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIf+L6CRq3zedgU1uZz4WOlB5l3w5EVVWHZ6p1yS6ZMJbWzyRDP004C9SyOdlHOEanHAbFHM4En1P/hLVjfGgf0CcN3Us546Z6dXynqT3lqxDm+X0Svfu1fb1Dj2UqQofIOV61p5nbh9HTzbsyOq0f6BeQWZkdQjYV+pbtOecc3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/admin/user
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  d9c3a30a42fc9eab94ea73eb3844ad91ca5c6e40d72edce617ee166aea42e801
- Size
  
  2.0MB
- MD5
  
  102e12d4665f8de8d304114a6afc401a
- SHA1
  
  8fdb5d6bd8945002503ad1e0a78c3e33ec285d22
- SHA256
  
  d9c3a30a42fc9eab94ea73eb3844ad91ca5c6e40d72edce617ee166aea42e801
- SHA512
  
  2164eaf073d4de3fcc2ee594d6355fe1e5a557f2238ea3333d34cfb4c124dbe5cbaf8f5e31a4a6af0813029d07c669c1e025096d3588fa7306a57b96a662cbee
- SSDEEP
  
  49152:Luh6Xq6YHFzD+u8sEOTYP4+QUdec1Ij0ev0+On/v9C0umTk/oQXtw1lxk4:zXmHhR1EOcP4+Qtc1Ij0evxOn/v9C0Dr
Score

10^/10

cobaltstrike 305419896 backdoor trojan upx 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrike305419896backdoortrojanupx

behavioral2

cobaltstrike0305419896backdoortrojanupx