cobaltstrike | 030122cbc26daf3bfb6c3eadbc4cea25e06f352c3d17decff8af12fa81ef638b

General

Target

6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
Size

734KB
MD5

47d0a7d95e4e561dd8d46a60f55f7f8d
SHA1

c285d3db58476c46aae8be6b731356ff13b6a478
SHA256

6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837
SHA512

633b877b579024e5e36b99d133adde5c966d4d01915263be295456390ae523c5db4717359c1735d6fd73e3f84c3401bc7e67b414219cd6afb25d3bab23cc3917
SSDEEP

12288:FU1VYwPkT4LbcArB+rVqLq25s+tLsCN/FUaZ9kC2XmaKxNxhsY/4QI1IRm6SEWO7:rYIqcSd

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://117.50.189.147:90/ca

Attributes

access_type
512
host
117.50.189.147,/ca
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
90
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYND7NsiktPrD/uDMM5S6C7cvFGmqR8iuKLt8lVUUU//Yoobu08NzywlsJ2hsGbs14VHXGUifaQr+gqRANCApl4tQxjmG6C9cZJVfB3y9WToeDqwczyuRTQi046lKr777YiiPYsNUC3aQriPMwKT/xCzs3AteG7fYZQ2TcrFRvewIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1516 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1260 powershell.exe
1516 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1260 powershell.exe
Token: SeDebugPrivilege 1516 powershell.exe

flow	pid	process
4	1516	powershell.exe

pid	process
1260	powershell.exe
1516	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1260 wrote to memory of 1516	1260	powershell.exe	powershell.exe
PID 1260 wrote to memory of 1516	1260	powershell.exe	powershell.exe
PID 1260 wrote to memory of 1516	1260	powershell.exe	powershell.exe
PID 1260 wrote to memory of 1516	1260	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1260-55-0x000007FEF4640000-0x000007FEF5063000-memory.dmp

Filesize
10.1MB

Download
memory/1260-57-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1260-56-0x000007FEF38F0000-0x000007FEF444D000-memory.dmp

Filesize
11.4MB

Download
memory/1260-58-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1260-59-0x000000000291B000-0x000000000293A000-memory.dmp

Filesize
124KB

Download
memory/1260-60-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1516-61-0x0000000000000000-mapping.dmp

Download
memory/1516-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1516-63-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-64-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-65-0x0000000004CA0000-0x0000000004CD3000-memory.dmp

Filesize
204KB

Download
memory/1516-66-0x0000000004CE0000-0x0000000004D1D000-memory.dmp

Filesize
244KB

Download
memory/1516-67-0x0000000004CE0000-0x0000000004D1D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads