cobaltstrike | 693dd56aa5b577ee03fed83d402786af59e3dca6341dccf7bdd029f9e0dfb3be

Analysis

max time kernel
62s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cs_backdoor.exe
Size

518KB
MD5

b62632529fdaa96f4be1e50eeeaf069c
SHA1

d1b770fa53e204d6ce4b28c51cc5be4e6ff5d92f
SHA256

8d8a7798ebf211ce6bd8a50f606aea0003350566832ade952b3dac9bd8c2b9d5
SHA512

397f3a2ec44943d7ca35d5841fe46910cac0ad2648e0ee128cab8260d33187087b45a1489b9ea21f52cb96127fceac6e62b503d08bbdf189bba1eab9687d9b18
SSDEEP

12288:R0mDAUEXTjWv/1Bu5Nvv7fqr9opXP9UIQzaTobm:fDgXTyvuPbfgapXP9UIc

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://106.12.222.162:8099/blog/

Attributes

access_type
512
dns_idle
1.34744072e+08
host
106.12.222.162,/blog/
http_header1
AAAAEAAAABdIb3N0OiB3d3cuYWxpeXVuLWNzLmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAhkNvb2tpZTogTWljcm9zb2Z0QXBwbGljYXRpb25zVGVsZW1ldHJ5RGV2aWNlSWQ9OTVjMThkOC00ZGNlOTg1NDtDbGllbnRJZD0xQzBGNkM1RDkxMEY5O01TUEF1dGg9M0VrQWpES2pJO3hpZD03MzBiZjc7d2xhNDI9WkcweU16QTJLakVzAAAABwAAAAAAAAANAAAABgAAAAhYLVByYWdtYQAAAAkAAAAOcGF0aD0vY2FsZW5kYXIAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAEAAAABdIb3N0OiB3d3cuYWxpeXVuLWNzLmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAQAAAA0AAAAEAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAF0NsaWVudElkPTFDMEY2QzVEOTEwRjk7AAAAAgAAADhNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0OwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAA==
http_method1
POST
http_method2
POST
jitter
5120
maxdns
235
polling_time
30000
port_number
8099
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5h13I0LHtntwGyfMQ50mwgeQNRoMziUbFacTBFXE6o0aMf2upaKU1zl/ud3VRodQjFZxWn2uqOUp+027mQoZ25IxVFtNU21cf1gMJO4j2vcXVAaTTYPh3NXVJ/LHMyI7f8tgsuXztYUVLsWrLG5VO/UfGom/os0SDAFcwWJzkrwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/BLOG/
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

C:\Users\Admin\AppData\Local\Temp\cs_backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\cs_backdoor.exe"
1⤵
PID:1208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-133-0x00007FFB896F0000-0x00007FFB8977D000-memory.dmp

Filesize
564KB

Download
memory/1208-134-0x00007FFB896F0000-0x00007FFB8977D000-memory.dmp

Filesize
564KB

Download
memory/1208-135-0x0000017BB4D00000-0x0000017BB4D01000-memory.dmp

Filesize
4KB

Download
memory/1208-136-0x00007FFB896F0000-0x00007FFB8977D000-memory.dmp

Filesize
564KB

Download
memory/1208-138-0x00007FFB896F0000-0x00007FFB8977D000-memory.dmp

Filesize
564KB

Download
memory/1208-141-0x00007FFB896F0000-0x00007FFB8977D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads