cobaltstrike | 679e06b34326eaf4aa427650820a3fcc523d5b82f3e8eb8d505f51ff33d55828 | Triage

Sharing

General

Target

d48235f529e34ccb9a0cfac63e9495113499452b317aec2e8b3ed836ca23cb52.zip
Size

227KB
Sample

221201-t8cb3sca4v
MD5

24cc4b1194b8a8aa2e6ac5cacae7e002
SHA1

a3a94962d6d902d65ade04114106310342ba4c9f
SHA256

679e06b34326eaf4aa427650820a3fcc523d5b82f3e8eb8d505f51ff33d55828
SHA512

bfa2e2fcf7f5b2e70874bfc78452d3277c7a3c58c9ab9b240dc0d474823595375378c5ada938426ba133b3af7648d8380087c1300f8e9d3f136a16f7e4b63430
SSDEEP

6144:y3Bu8aBPPQxsSAqlezV38JIOffdxsw6C3215qH8Ox:kg8qVNV38JIOfLVZ25qH8Ox

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Targets

- Target
  
  Attachment.iso
- Size
  
  822KB
- MD5
  
  1ff6225f783595cf3a0c11720fa945d8
- SHA1
  
  4d71522a9cbf2f050f1b369f18351f6eec89b46e
- SHA256
  
  d0d1b77c34afe7bec255227fc946e32890e7f6abff67e913d7ef4ea5e33efacb
- SHA512
  
  3074e2212e10ac32b5bee3eca1ce9b324a85c5866b24c0086838b5ce336c380276f0616befe6c0c10d9cbdd1c95ed9c6de5eb3f3101d4f91cccb890f74b7b669
- SSDEEP
  
  12288:3hU0sdb34MkPGI4MpPBrCi1y05XlXNgLZRwUm14nY:vpki13jgLZRwUm1v
Score

8^/10
- Blocklisted process makes network request
- Drops startup file
behavioral1 behavioral2
- Target
  
  8969122ef3485d.log
- Size
  
  23KB
- MD5
  
  914dd9891afe574b611e2e38a162ae1f
- SHA1
  
  ad4c9126bcf2e534cd355107c301d01832889610
- SHA256
  
  304d6a87f624d74df2bf37c458b2f06c525aad947886413befac892c1d89a394
- SHA512
  
  33a70a75e956bcdb70c22b27c2f3044d6c527e3a10446cb6654431ecfbe326d69631b8ad61bb8f8bc8399f6122bdc229dfc01a607cec38587d39dccc67dd902c
- SSDEEP
  
  384:k6dBkkPyac1Vzzgq2wjvulFcagjATRdMa5oE4BW2d4yvnR:/bXPY1VzzgOecag0DMaclDfR
Score

8^/10
- Blocklisted process makes network request
- Drops startup file
behavioral3 behavioral4
- Target
  
  8969122ef3485df.log
- Size
  
  420KB
- MD5
  
  06b8feae2c9d9f2940cb9dca40d553c3
- SHA1
  
  b246ed8055ad9e7bb760795e054224d406ec8a20
- SHA256
  
  93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e
- SHA512
  
  d0285b2a638ff76fe846f41118c7e6e2ac741ab071ec63432fc8406b181ebf187c0d77f45740eb26a193f348b15db478a7d6c96c6f92df6a7464b46c9a3f6818
- SSDEEP
  
  12288:hhU0sdb34MkPGI4MpPBrCi1y05XlXNgLZRwUmm:tpki13jgLZRwUmm
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral5 behavioral6
- Target
  
  Attachment.lnk
- Size
  
  2KB
- MD5
  
  4f86eb0c1fac722e4c7b4f6f089bd127
- SHA1
  
  9d459b6ebc01d6e937785e1e118000bebdd3f700
- SHA256
  
  89a1a6cb000a66b841ad26a8d0d5af507cc17efc00a109d61d52a65caa4cef43
- SHA512
  
  c8f1d53629d14ddbe84b6878104a773e7a1bd8da47ab2b3d5ac04955916978bd79db0a9c3a94652889580344cf21416d7791b2982afeb7da5839ce33c7cc76a0
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral7 behavioral8
- Target
  
  document.pdf
- Size
  
  10KB
- MD5
  
  8a7cadbe3c40344007c5334b41f0e8cf
- SHA1
  
  fbc916f065157cc5a13f22453c19f7dfecc3c228
- SHA256
  
  3902e1734b1d0187d3404dafa4616212342630cb46913242060f485e58201a75
- SHA512
  
  8c5e0d7a938ac13537041335d5ea185e83e025b6da138c0c3c49794825e873a52c048b08579711a888bae6e9fedc03996dbb5a2696844bb5335b8f96017dcbdb
- SSDEEP
  
  192:GWY3Ro9kPRzjVap5F5rBfHOHAo9u8wGW1/Pgk/pDqX1TX5DESqyuZnZgprCZ5npK:GWaHhjVsHmAocZd1/f/pO1VDULERCZ58
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

cobaltstrikebackdoortrojan

behavioral7

behavioral8

behavioral9

behavioral10