cobaltstrike | b8191fcab4089c6089d8dd0bf7a81380b49dece0ec055ed15195a20a18ee06cf | Triage

Sharing

General

Target

9023247984.zip
Size

419KB
Sample

230206-w67rbaae6w
MD5

349ec863a3a3daf935cbb7dbcb2fa2bd
SHA1

a2695f30651e7138ae095a42fb68ce004767313d
SHA256

b8191fcab4089c6089d8dd0bf7a81380b49dece0ec055ed15195a20a18ee06cf
SHA512

b8da84f057504cc02651cea09ad329738f73a8f071f6a84c7506b38229ba65ed5c0190d0e29be83761df7d6e061d0628d70f3c62b703d9e2b1dbe3378b49bda3
SSDEEP

12288:ejkgK6u5SRqOtJtMcSd4gnjiYi8mvQS+GYtwKymZax1/b6p:eIuDRqOxMj4gnGYTMWtwCy1TE

Score

10^/10

cobaltstrike 987654321 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://45.12.253.139:443/an.js

Attributes

access_type
512
beacon_type
2048
host
45.12.253.139,/an.js
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
55991
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.63976192e+08
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/ch
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
watermark
987654321

Targets

- Target
  
  RuntimeBroker.exe
- Size
  
  100KB
- MD5
  
  ba4cfe6461afa1004c52f19c8f2169dc
- SHA1
  
  ab8539ef6b2a93ff9589dec4b34a0257b6296c92
- SHA256
  
  e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
- SHA512
  
  2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
- SSDEEP
  
  1536:l5gC0wSKok6UAeVEBFgvozLmwCedFpQHI8PXjYlTx/2whBGE/5K5/EJD2VEUcO8h:sC+vEArBCgmejo8X/2whRJDAE2r+e
Score

10^/10

cobaltstrike 987654321 backdoor persistence trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  info.txt
- Size
  
  174KB
- MD5
  
  84b90b27b759c98f05d35e2936939ea2
- SHA1
  
  0a398991b1559455da5333b696da112af07f028e
- SHA256
  
  161854614e6405d6899e19409cee5fc8b08fc08a0c52c208593c059f93b869f8
- SHA512
  
  b1aa38152af47a156a426794d2d2a4560a736ff7447a54327df629bb9e09c8a22d54360615dc73ba4ed435c188a2b07d13962b6823a30bc1a8c0647d0e64e564
- SSDEEP
  
  3072:vpIKIHU84AKvpmlIUj/k0uw5tTHf/bXtdn8OqxbuRTVpi6q:hIelvE7LuCl//bXWuJXi6q
Score

1^/10
behavioral3 behavioral4
- Target
  
  umpdc.dll
- Size
  
  391KB
- MD5
  
  1570c92c1c5f039c438295ac68ff7e82
- SHA1
  
  3ee6c1d3582361e8af4efec44b1d1420494ab728
- SHA256
  
  b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
- SHA512
  
  fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
- SSDEEP
  
  6144:JAuyRydkljgV0gy791xfB9yDAxRX9yMhklyCgk0gyWYFgdDlmZdHyHydkl9Tr0g/:JAAU8V0ZrH88Y2k0md8dHdUB0BwH
Score

10^/10

cobaltstrike 987654321 backdoor persistence trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
  persistence
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cobaltstrike987654321backdoorpersistencetrojan

behavioral3

behavioral4

behavioral5

cobaltstrike987654321backdoorpersistencetrojan

behavioral6

cobaltstrike987654321backdoorpersistencetrojan