cobaltstrike

General

Target

ta580.zip
Size

288KB
Sample

230110-v3r11sgg49
MD5

d97402459cb90c8360edd529e6f7a32a
SHA1

f97add4a9124fa8db8efaf457d24a2ce69a1093e
SHA256

00a2ad580b475b5d302483074884a3b02e931fcea5dd54ae94976ae43e475b16
SHA512

7614fff7a6ea0950f51510a4894040d9f9b6794bd5d25104f054805f65aa68dbb159eba4beca0f56d68af072de3573b780001a129a57b1777d9abdf36d5523b8
SSDEEP

6144:EkTgUheBNoODTubgQKvLuCdDeJc1U2CRYIgCQPuBH0ogNbLQZ5x6QZx5xb:EkTgO2f2FKvyCdyQU0I6uV0pEm2R

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

C2

http://23.108.57.161:443/Forums.css

http://157.254.194.123:443/Forums.css

http://182.23.109.22:443/bn.css

http://157.72.142.1:443/Forums.css

Attributes

access_type
512
beacon_type
2048
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.708806656e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/dz
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
1580103814

Targets

- Target
  
  document01.lnk
- Size
  
  1KB
- MD5
  
  4230179e11830d5c25781306d113523b
- SHA1
  
  158c3323dc9d25981625bc1f4788ae4a9a6f5e60
- SHA256
  
  b3105f3b231b63e1e18f592d15acbba1fb1993e032360da28a14f41d60dad696
- SHA512
  
  342b01130dff4f62883602906245cf5ca4aa8e14ad397e07d7e383294d93dc826d43f32510648bcddd2295f0c082b5bf8f561b9b7bba302eecf23c9580e98c54
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  ipchains.dll
- Size
  
  572KB
- MD5
  
  8fdd7858bf72589cafba3e8f98a6730b
- SHA1
  
  ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
- SHA256
  
  39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
- SHA512
  
  0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
- SSDEEP
  
  6144:5RsC6WbKlOsSPfGGu3KFGSpdc0x/POh4OML3OLyK9kon8m5I5XWOFLBSmOJQgyxy:5qt7s3TvV4hBML3OLyoytj2mzdI
Score

10^/10

cobaltstrike 1580103814 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral3 behavioral4
- Target
  
  price.bat
- Size
  
  2KB
- MD5
  
  2a677a2e87d30723a7f85db0e68246a0
- SHA1
  
  8d6e8fd707166f6989d025b6e47eb32251ddf007
- SHA256
  
  b9f0301c363e3e874f0020090db489b4621a7df827aa5202971d789f9762e145
- SHA512
  
  fd976416ff65521c01c7c3cb5ccc4a7ce1fe786032868ed58314b5c412fc7dd5f7bd00aaae169adf0a0be0bd6caf6b40aaa91aba6c2945670d4d4e718f0dfe56
Score

10^/10

cobaltstrike 1580103814 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Blocklisted process makes network request

Cobaltstrike

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6