cobaltstrike | da69111d0ba32fa46dfcf6dbb30d672d39bf5794951f5c4d69fb378eda4bd1ff

General

Target

cs.ps1
Size

6KB
MD5

2d14fc0abc9432b32d79353b89b9c294
SHA1

726b03c1667004bebd77f20d7090fa7b3954721a
SHA256

da69111d0ba32fa46dfcf6dbb30d672d39bf5794951f5c4d69fb378eda4bd1ff
SHA512

182f9a7fd862f67c1146309c59e72ab634be64c6d3dcd532efd9ac07b0eba100c90d3ea1b4dd51f0902e4c9d14f51620baa03208e23a66a4a97027f773a4cb5a
SSDEEP

192:+9iMvwGTCLLmuq3WoR8XycmA4gMrxYjxs+wA9zzL:+YMvNCLeWuUycmA4gMrxYVs+wA9zzL

Score

10^/10

cobaltstrike metasploit 987654321 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://45.83.122.166:8080/4YWx

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://hpsj.firewall-gateway.net:8080/j.ad

Attributes

access_type
512
beacon_type
2048
host
hpsj.firewall-gateway.net,/j.ad
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8080
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA7XmfBGIqxq0ZAjbo1mvjRrLTz1kqnx3Y0IdHHMDbn1WD7VJz+lCRpWJ2OlsANQC9jVg0eiyxn6I+ZU0r0zFSOcMytDQLVzvia73nfDGwly091GLmpYfmC8ChGLu+bGPDvpLPRM0vXtR6Xo64j4Fy8OwpVtmjxJTL/Zgnp3IriwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)
watermark
987654321

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	1932	powershell.exe
5	1932	powershell.exe
7	1932	powershell.exe
9	1932	powershell.exe
10	1932	powershell.exe
11	1932	powershell.exe
13	1932	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1972 wrote to memory of 1932	1972	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cs.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
  "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C92.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ET9SJPD04HDC8QEW6S0X.temp

Filesize
7KB

MD5
e2db1759f49610630def46d664e342b8

SHA1
ca772543557804885f5bef5280f9b0f7ca46fac7

SHA256
914de552427d8dd417cf9d3d9f574258ba29419c342e16666e1cc157993ef4d7

SHA512
830bb7d1a299676f5c89369abedc090255f5437c39a135920ea9688795943a1f64c61bda05949cc334eceff1a18a9f5c7e5a36f8793a86cbf22cb1a10c17a400

Download Submit
memory/1932-109-0x0000000005300000-0x0000000005302000-memory.dmp

Filesize
8KB

Download
memory/1932-88-0x0000000005570000-0x00000000055B1000-memory.dmp

Filesize
260KB

Download
memory/1932-116-0x0000000005570000-0x00000000055B1000-memory.dmp

Filesize
260KB

Download
memory/1932-115-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1932-114-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1932-67-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1932-68-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1932-69-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1932-87-0x0000000005EB0000-0x00000000062B0000-memory.dmp

Filesize
4.0MB

Download
memory/1932-113-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1972-60-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1972-58-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/1972-110-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-111-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-112-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-62-0x000000001B9E0000-0x000000001BA12000-memory.dmp

Filesize
200KB

Download
memory/1972-61-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-64-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1972-63-0x000000001B9E0000-0x000000001BA12000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads