cobaltstrike | 6761764ee874b2ec445c348a245cc35e8fa2e71a5df7c25c5a4a9f20da710a89 | Triage

Sharing

General

Target

1008188650ce94899c5714346e9ec493.js.vir
Size

869KB
Sample

230317-pjl3rsab41
MD5

1008188650ce94899c5714346e9ec493
SHA1

a3cc3b37f9cf65306c219c04695199a40e5c2cc8
SHA256

6761764ee874b2ec445c348a245cc35e8fa2e71a5df7c25c5a4a9f20da710a89
SHA512

7cc7e87165377d86d3c809b2e57c4bb5c45e2c6372d6a4c623ccbede257e082b0a09da6bb28d57241072c274f9dbe6d6d22e6b8e969299d9ff3b435f716fefe8
SSDEEP

12288:k/zZk5BCCZC1vij1TtwNuDCnVZMP72F0MLzImIz+H0RnJiu5/uB6KgSfl+ribR0X:kFAz2F0fSURnJ4jh8i4

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://101.43.188.175:6666/image/

Attributes

access_type
512
host
101.43.188.175,/image/
http_header1
AAAACgAAAEhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKmw7cT0wLjgAAAAKAAAAHlJlZmVyZXI6IGh0dHA6Ly93d3cuZ29vZ2xlLmNvbQAAABAAAAARSG9zdDogbGF4c3RvcmUuZ3EAAAAKAAAAEFByYWdtYTogbm8tY2FjaGUAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAABwAAAAAAAAAIAAAAAQAAAAQuanBnAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAAeUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tAAAAEAAAABFIb3N0OiBsYXhzdG9yZS5ncQAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAsAAAABAAAABC5wbmcAAAAMAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6666
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmOWIfmsFlSaN08WbrXhqAUnE0QmgKzc114UH02A/cZNu9XBcBIf3gJ63j7++TAbdMd+qE3rdZw/CwmlXOCBrfx7cxpKKQY1/kA0NVmS8AVcryjkT6cSxdF5Ehe4DMMtLDP2GHIvt+r4587MArJnEThLp/UScK/KwXHYMAzkcTuwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/email/
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)
watermark
100000

Targets

- Target
  
  1008188650ce94899c5714346e9ec493.js.vir
- Size
  
  869KB
- MD5
  
  1008188650ce94899c5714346e9ec493
- SHA1
  
  a3cc3b37f9cf65306c219c04695199a40e5c2cc8
- SHA256
  
  6761764ee874b2ec445c348a245cc35e8fa2e71a5df7c25c5a4a9f20da710a89
- SHA512
  
  7cc7e87165377d86d3c809b2e57c4bb5c45e2c6372d6a4c623ccbede257e082b0a09da6bb28d57241072c274f9dbe6d6d22e6b8e969299d9ff3b435f716fefe8
- SSDEEP
  
  12288:k/zZk5BCCZC1vij1TtwNuDCnVZMP72F0MLzImIz+H0RnJiu5/uB6KgSfl+ribR0X:kFAz2F0fSURnJ4jh8i4
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cobaltstrike100000backdoortrojan

behavioral2

cobaltstrike100000backdoortrojan