cobaltstrike | d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae | Triage

Submit
Reports

Overview

overview

Static

static

d1049482df...ae.exe

windows7-x64

d1049482df...ae.exe

windows10-2004-x64

Sharing

General

Target

d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae
Size

488KB
Sample

221128-nkk2esad54
MD5

d3d013aaa07c6217fda7a8a139c42b60
SHA1

c2255e187fc08109ee3da450bba1e176b7583384
SHA256

d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae
SHA512

77b508f7b7504a15e2892bd956958d63ea81c601f923b23de89db0adbcac35b5bc5cd460592cb5c14ab8e122c3c60c49dfa08aeff39e6772a5de28f0651d4e69
SSDEEP

12288:M5GcFV5PDTOLQtJ+5tPD9HQdjFhkPcykVbI:MAELTOEtJWpwhmq

Score

10^/10

cobaltstrike backdoor bootkit persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae.exe

Resource

win7-20220812-en

cobaltstrike backdoor bootkit persistence trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae.exe

Resource

win10v2004-20220812-en

cobaltstrike backdoor persistence trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae
- Size
  
  488KB
- MD5
  
  d3d013aaa07c6217fda7a8a139c42b60
- SHA1
  
  c2255e187fc08109ee3da450bba1e176b7583384
- SHA256
  
  d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae
- SHA512
  
  77b508f7b7504a15e2892bd956958d63ea81c601f923b23de89db0adbcac35b5bc5cd460592cb5c14ab8e122c3c60c49dfa08aeff39e6772a5de28f0651d4e69
- SSDEEP
  
  12288:M5GcFV5PDTOLQtJ+5tPD9HQdjFhkPcykVbI:MAELTOEtJWpwhmq
Score

10^/10

cobaltstrike backdoor bootkit persistence trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrikebackdoorbootkitpersistencetrojan

behavioral2

cobaltstrikebackdoorpersistencetrojan

© 2018-2024

Terms | Privacy