Overview

overview

10

Static

static

1

6c9810a08e...37.ps1

windows7-x64

10

6c9810a08e...37.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.zip

  • Size

    245KB

  • Sample

    230211-m33hragh6s

  • MD5

    343b04df52d769359fd13fbbe7a9518a

  • SHA1

    d28be3f3537296c32e66e99aa044f00e073ff8b3

  • SHA256

    030122cbc26daf3bfb6c3eadbc4cea25e06f352c3d17decff8af12fa81ef638b

  • SHA512

    d9ee8b226b22578e73b790314705c557b07aa2d28221fd628d86a9f1b134e9e98342ba170d4003308ad14be42c5da7d2ad89155031d3f4d83a58b9af3f901d1d

  • SSDEEP

    6144:AFZwt+ydCAOnuf2+EhGhb1jvdYA2Dg2xM:AQt+a+u++LXjqD1xM

Score
10/10
cobaltstrike305419896backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://117.50.189.147:90/ca

Attributes
  • access_type

    512

  • host

    117.50.189.147,/ca

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    90

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYND7NsiktPrD/uDMM5S6C7cvFGmqR8iuKLt8lVUUU//Yoobu08NzywlsJ2hsGbs14VHXGUifaQr+gqRANCApl4tQxjmG6C9cZJVfB3y9WToeDqwczyuRTQi046lKr777YiiPYsNUC3aQriPMwKT/xCzs3AteG7fYZQ2TcrFRvewIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

  • watermark

    305419896

Targets

    • Target

      6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1

    • Size

      734KB

    • MD5

      47d0a7d95e4e561dd8d46a60f55f7f8d

    • SHA1

      c285d3db58476c46aae8be6b731356ff13b6a478

    • SHA256

      6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837

    • SHA512

      633b877b579024e5e36b99d133adde5c966d4d01915263be295456390ae523c5db4717359c1735d6fd73e3f84c3401bc7e67b414219cd6afb25d3bab23cc3917

    • SSDEEP

      12288:FU1VYwPkT4LbcArB+rVqLq25s+tLsCN/FUaZ9kC2XmaKxNxhsY/4QI1IRm6SEWO7:rYIqcSd

    Score
    10/10
    cobaltstrike305419896backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks