cobaltstrike

Resubmissions

20/07/2023, 02:57

230720-dfptpscd84 10

13/02/2023, 14:20

230213-rndy3adb5w 10

Sharing

Copy URL

Twitter E-mail

General

Target

新建文件夹.rar
Size

1.1MB
Sample

230213-rndy3adb5w
MD5

b6ad952276d6993d1740ff2878c7d680
SHA1

7cf5ffb2500a88eaa150320997aeebde7a7fc420
SHA256

867912868ef71d5781305e61762d25b59f98b23d6a781a0e75be2705d30a3163
SHA512

ddd9a9970675de6e5b80139279a558e31e7c80de9eddefce78a9d463dbf3b67012c53eea870bbc74a488c261f100999daaba883499c62bdfe0617c0aeb51e2b7
SSDEEP

24576:lZT+kZ91Q5BTCZHvX/pNPS5KCCJ44q4k51ZZchAxWundJgj7hzh:lyjTCZHvX/i59CS4IjZZMmWudyF

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://120.78.228.153:443/center/update_

http://120.78.170.89:443/center/update_

http://60.205.203.120:443/center/update_

http://101.200.58.59:443/center/update_

http://47.96.152.43:443/center/update_

http://47.96.184.209:443/center/update_

Attributes

access_type
512
beacon_type
2048
host
120.78.228.153,/center/update_,120.78.170.89,/center/update_,60.205.203.120,/center/update_,101.200.58.59,/center/update_,47.96.152.43,/center/update_,47.96.184.209,/center/update_
http_header1
AAAACgAAAA1BY2NlcHQ6IGltYWdlAAAAEAAAAA1Ib3N0OiAzNjAuY29tAAAACgAAABlSZWZlcmVyOiBodHRwczovLzM2MC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACFNFU1NJT049AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAA1BY2NlcHQ6IGltYWdlAAAAEAAAAA1Ib3N0OiAzNjAuY29tAAAACgAAABlSZWZlcmVyOiBodHRwczovLzM2MC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAAFAAAAB1NFU1NJT04AAAAHAAAAAQAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
2000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC00x/YenIm1WvU3f0GohhnnLcHou4dJiz3wNHILmAlAbMYzVUbXJanIwLYvbtLi+UQoZjc5aRwS6qgdE7YOfz9oSs4r9EGsYgtRh4MedK697imUg2eNGhU62Vao9Uv0HSxIDl6GQ7Aw9CHSXuV39gdp+eVFr3PA978yTahEpr3KQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.767183616e+09
unknown2
AAAABAAAAAEAAAAIAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/center/upload_
user_agent
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31
watermark
100000

Targets

- Target
  
  新建文件夹/翟星天简历.docx.lnk
- Size
  
  39KB
- MD5
  
  22acae755096d085bc6f2b252523cc3b
- SHA1
  
  53b8e7c251cff125fd046281b9d106ca3021cefc
- SHA256
  
  7bb6dd81a44e6acb125ec9fb483c0c65cad01869f5a282bc61e6df81fe1f4553
- SHA512
  
  b1ae3c2e13c52ea15a559393778a020a1174b48d446d25aca65d4a97522716c6a81713ad40d88e9df922f308a45bf9a7c3b2f67b9884458a5bcb0aa5c374aefc
- SSDEEP
  
  768:dguiWbvcF7K/ccy7/zjo61M39TiFww6oLVRELZqKsmsWXpo47:eRWzclCcP/Js9RoLVEZrnp77
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2