cobaltstrike

General

Target

8494205ac991c4f2aaa5390ce684e5382e1e4c85da0ce08c527ba9d4089dd86d
Size

494KB
Sample

230129-tz97radg43
MD5

8d166ee159764d8a09ac1a16b30a445a
SHA1

0a709778fa4f8ec9c03d34cc7ad36ae1f6cdeec7
SHA256

8494205ac991c4f2aaa5390ce684e5382e1e4c85da0ce08c527ba9d4089dd86d
SHA512

4ecfadbbe51f97aa44cfd1d3bf91e79f39ddffbd407d2a9ed0e44ece5282f419e494557255c47d7a8b7a5588d9fb8aff2ec5cf8436fc19c8a6874c967855d29b
SSDEEP

12288:y8E3jt616IePdCKXYItHMIwNoD1sfC73M2GjELsXZ:dePdCQaIcOqfm+jELC

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://ghafirst.com:443/RELEASES

Attributes

access_type
512
beacon_type
2048
host
ghafirst.com,/RELEASES
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAAAAAAMAAAADAAAAAgAAABR3b3JkcHJlc3NfbG9nZ2VkX2luPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAA9QWNjZXB0LUxhbmd1YWdlOiBmci1DSCwgZnI7cT0wLjksIGVuO3E9MC44LCBkZTtxPTAuNywgKjtxPTAuNQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAA0AAAADAAAAAgAAAAhjaGFubmVsPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
56890
port_number
443
sc_process32
%windir%\syswow64\regsvr32.exe
sc_process64
%windir%\sysnative\regsvr32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQVbvYC23lQ8yuEgsqJl0PQ6bcBM32VKooSBx4V5Fw76v+7Jy1M52MeKC1pTSMFlG6+9dzMIVigabcKfvq/lUN6u8DTbWtmiUkwCGv/Y4dcfyu34NTcmgoEBxE1UovJUM8FQr4ID1uEj6oNnN4sKbpQ2cFwfcUt8lRaqpQiXdfkQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.025605888e+09
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/ro
user_agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
watermark
1359593325

Targets

- Target
  
  8494205ac991c4f2aaa5390ce684e5382e1e4c85da0ce08c527ba9d4089dd86d
- Size
  
  494KB
- MD5
  
  8d166ee159764d8a09ac1a16b30a445a
- SHA1
  
  0a709778fa4f8ec9c03d34cc7ad36ae1f6cdeec7
- SHA256
  
  8494205ac991c4f2aaa5390ce684e5382e1e4c85da0ce08c527ba9d4089dd86d
- SHA512
  
  4ecfadbbe51f97aa44cfd1d3bf91e79f39ddffbd407d2a9ed0e44ece5282f419e494557255c47d7a8b7a5588d9fb8aff2ec5cf8436fc19c8a6874c967855d29b
- SSDEEP
  
  12288:y8E3jt616IePdCKXYItHMIwNoD1sfC73M2GjELsXZ:dePdCQaIcOqfm+jELC
Score

10^/10

cobaltstrike 1359593325 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2