cobaltstrike | 00a2ad580b475b5d302483074884a3b02e931fcea5dd54ae94976ae43e475b16

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ipchains.dll
Size

572KB
MD5

8fdd7858bf72589cafba3e8f98a6730b
SHA1

ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
SHA256

39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
SHA512

0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
SSDEEP

6144:5RsC6WbKlOsSPfGGu3KFGSpdc0x/POh4OML3OLyK9kon8m5I5XWOFLBSmOJQgyxy:5qt7s3TvV4hBML3OLyoytj2mzdI

Score

10^/10

cobaltstrike 1580103814 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

http://23.108.57.161:443/Forums.css

http://157.254.194.123:443/Forums.css

http://182.23.109.22:443/bn.css

http://157.72.142.1:443/Forums.css

Attributes

access_type
512
beacon_type
2048
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.708806656e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/dz
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
1580103814

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exe

flow	pid	process
1	2816	rundll32.exe
7	2816	rundll32.exe
14	2816	rundll32.exe
23	2816	rundll32.exe
24	2816	rundll32.exe
41	2816	rundll32.exe
43	2816	rundll32.exe
44	2816	rundll32.exe
45	2816	rundll32.exe
48	2816	rundll32.exe
49	2816	rundll32.exe
50	2816	rundll32.exe
51	2816	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ipchains.dll,#1
1⤵
- Blocklisted process makes network request
PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-132-0x0000021804590000-0x000002180461B000-memory.dmp

Filesize
556KB

Download
memory/2816-133-0x0000021804190000-0x0000021804590000-memory.dmp

Filesize
4.0MB

Download
memory/2816-134-0x0000021804590000-0x000002180461B000-memory.dmp

Filesize
556KB

Download
memory/2816-135-0x0000021804190000-0x0000021804590000-memory.dmp

Filesize
4.0MB

Download