cobaltstrike

Resubmissions

18-01-2023 14:25

230118-rrsavsag38 10

Sharing

Copy URL

Twitter E-mail

General

Target

TA579_20220117.zip
Size

8.2MB
Sample

230118-rrsavsag38
MD5

6ca646efab8725915780c159a86115ba
SHA1

ac5f2f25e75ed22282d90ba9f40538423df3a108
SHA256

78279ac671bb144d058bc59eb5d89a6446ceee2cdcaf3d6bbe00a23e15abf0b2
SHA512

deada1e00126b0a8e4938ea0c7a6a96a7984258fe3cb4052c820c6f15fdc58faaeae74b337b81e38299fbe71b593049d9f5be80aa6dcfddd5cebca83fe1e69e9
SSDEEP

196608:nah7EGo1G1Q+t5kjO++pTp571s33JB1uf5n24K:nah81G1HOOppTpKUfO

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

http://23.108.57.26:443/gv

http://23.106.215.213:443/ch

http://23.189.202.11:443/gv

http://23.109.27.113:443/gv

Attributes

access_type
512
beacon_type
2048
host
23.108.57.26,/gv,23.106.215.213,/ch,23.189.202.11,/gv,23.109.27.113,/gv
http_header1
AAAAEAAAABRIb3N0OiBvbmNsaWNrYWRzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAHAAAAAAAAAA0AAAADAAAAAgAAAAVIU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABRIb3N0OiBvbmNsaWNrYWRzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAADAAAAAwAAAAIAAAAEamF4PQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5376
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCE9L8rIKSp4C9FQ/R/7a3ryY4uA9FlvsgnXmTz2sZ9UVfj1lI08Bviwhpc+EnZZqJdTO64CfcMBV4mkNpD0ytsAQM2Exm52NXS+H2o2sCUL/5CEDF69gocbXAWu8TBQBOJ/nigUOIP9axddVsB3u7b3VYu+LeoMTaxlVbzllXwSwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.8457344e+07
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/get
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
watermark
1580103814

Targets

- Target
  
  TA579_20220117/_ssl.pyd
- Size
  
  155KB
- MD5
  
  dcb25c920292192dd89821526c09a806
- SHA1
  
  79c9af3a11b41d94728f274b45a7c61dc8bbf267
- SHA256
  
  4e496cb3b89550cf5883d0b52f5f4660524969c7a5fa35a3b233df4f482d0482
- SHA512
  
  ae4ed1a66eef0b0c474c6ee498cd1388ef41f3746905257c7f5c0f73abbe3262eb47bb5748d47d55f1bd376308335a089c2b4c15ffe5d7fc21f2a660a4a93ba4
- SSDEEP
  
  3072:VOoLGtbSpE3z/J/PUE9u/85J2oEPwu3rE923+nuI5Piev9muFI4t761xu:VOoitbSpE3zhHPu/mE8nuaF9mud
Score

1^/10
behavioral1 behavioral2
- Target
  
  TA579_20220117/_zoneinfo.pyd
- Size
  
  42KB
- MD5
  
  e4c4a639cfb3d082b2fdb44ce08c1be3
- SHA1
  
  33fc3cc2db9ffc9e233aca5bc9290a69d138781f
- SHA256
  
  4333fc3595ea1ea48c5a983f8b60a64c192f39e5a0be2c7acd0033467269556d
- SHA512
  
  ef31ef93b73de02821751274f1a401710ef04c589cbb92d94ec0a3a5da5175e83c26bc12c367f0548583cf026cdce0e7ce3d33d7c4b3016e90beb42810f39bf0
- SSDEEP
  
  768:y8FQjWzWQt6XMuG7mM+FrRQOLb0CjyLstQ9t9I4CXbYiSyvpPxWEf:y84SqMt6MSrRQOLb0CuLstQH9I4CXb7V
Score

3^/10
behavioral3 behavioral4
- Target
  
  TA579_20220117/cradle.py
- Size
  
  524B
- MD5
  
  645bb969b89991321b41f629d5666fc8
- SHA1
  
  388e1046c1b5536f8543a9f543a693735d81b8d2
- SHA256
  
  fbe757129e9bbbfbb117ece83933187a774e1db4cbdb72a7bdc211a0871d38ec
- SHA512
  
  4d37bd777b5ab145aa7a0c4a1c47358ac6965057299cc781a761eadea2359bbe9ef0a144abc5143d59263f806715f21b7a12927a412fd3d38745fc3d3b251128
Score

3^/10
behavioral5 behavioral6
- Target
  
  TA579_20220117/python.exe
- Size
  
  99KB
- MD5
  
  0d7e35d7b045ec9447aa18d064fcd9c8
- SHA1
  
  fc8abbafbcf3b8f959b3e9c956109da0218aa95c
- SHA256
  
  3093fcf263029ca1d799fea250a4e032d2c930a516f1513eeca688b343c836b3
- SHA512
  
  7e9d78959563fd416422b6e226b73ed4ed2da7905ad89d93571f93b113fbcc1ee7203f18bb53bd495b9f79d4d9b72bbc0b6aad5cc4ce4356e655e8e459997cac
- SSDEEP
  
  1536:NFVCKbuEYE+9z2wp+FavGmhMn+IhzZtz8/duRo7SyYPx:NFVCKbuAs0FNmhMn+IhN+/duRoyx
Score

1^/10
behavioral7 behavioral8
- Target
  
  TA579_20220117/python3.dll
- Size
  
  63KB
- MD5
  
  e0ca371cb1e69e13909bfbd2a7afc60e
- SHA1
  
  955c31d85770ae78e929161d6b73a54065187f9e
- SHA256
  
  abb50921ef463263acd7e9be19862089045074ea332421d82e765c5f2163e78a
- SHA512
  
  dd5a980ba72e4e7be81b927d140e408ad06c7be51b4f509737faee5514e85a42d47518213da1c3e77c25f9bd2eb2109fca173d73d710ff57e6a88a2ff971d0b4
- SSDEEP
  
  768:5n8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJq2:5nwewnvtjnsfwL5I4Q0h7SyD0PxW
Score

3^/10
behavioral10 behavioral9
- Target
  
  TA579_20220117/python310.dll
- Size
  
  4.3MB
- MD5
  
  54f8267c6c116d7240f8e8cd3b241cd9
- SHA1
  
  907b965b6ce502dad59cde70e486eb28c5517b42
- SHA256
  
  c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948
- SHA512
  
  f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1
- SSDEEP
  
  49152:+xWM30WEuKdhbvd9aCLYjiNME9KnPdZkAMnu08M2c3MrOEJ8wwoJCzSy4I0mUHJq:+eV7bkwMVPZRHqzt0XHaMZqSH1jze
Score

3^/10
behavioral11 behavioral12
- Target
  
  TA579_20220117/pythonw.exe
- Size
  
  97KB
- MD5
  
  535dbfade17a856935667eae25acc166
- SHA1
  
  881db3c6ec9b8eee8c26c0b6c0278a3c8c3f301b
- SHA256
  
  61957119137f9492ab7cff41ed83619cdd398b8d47ceb4feeba5ed9bd0fcdc22
- SHA512
  
  8dc2fc6534a67b27bb65d65fc366cd9101ffd1a918924be7e1dfb253785cc0b57ce10621ea93af3769b1393cbde630cde92068689ef674c8c75e76a17bf49a09
- SSDEEP
  
  1536:bEqhuhIxHHWMpdPa5wiE21M8kJIGFvb1Cwb/x+sT7SyBPxs:YqISwMpdCq/IM8uIGfR/x+sT7xs
Score

1^/10
behavioral13 behavioral14
- Target
  
  TA579_20220117/required documents.lnk
- Size
  
  2KB
- MD5
  
  63406fd9ac6318999606bdf3dee56e59
- SHA1
  
  8af67f655ce1b5a1c98a2c3e2dc16b04f524d2ad
- SHA256
  
  de6f6037ca98820a57ed73b33a551f33b593ed860e37942c749a1bb1bc12de8d
- SHA512
  
  0c287b1a328392bde2560c0afa07119a851788a329bf1f6eceb04f3ea2f56387caac344ff5c8d6f7b3b34e768a16dc67ca637e100da273aa8e1bbf80d3151f61
Score

10^/10

cobaltstrike 1580103814 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16