cobaltstrike | 608365573d099c50b8c0e5b7092deae9a9bcc684bd44e271b69eb8f56ae2fbc8

General

Target

09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
Size

363KB
MD5

80e2da1c20715a24e2cffda025879bb2
SHA1

886a5a3f2a375458e332b7f667a4cc2c36f6a989
SHA256

09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9
SHA512

69b973d54cdfc842f32fa184211113c3ae93f5a5eb163c6d4997148998077d94add60d96243c1dd18a5e6bdbb858da50481e2ef866082d7ea5398dadbd4cb1a7
SSDEEP

6144:8Znnz2AHVD16Sn+KlfYY07hFo8jcNHKIS0MNd1re83NXsaly5q6LAV:8Rn6KPfvATzaKIS0TKNXT56LAV

Score

10^/10

cobaltstrike 987654321 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://kihurij.com:443/Demo/Internet/FT2F740QMYJ

Attributes

access_type
512
beacon_type
2048
host
kihurij.com,/Demo/Internet/FT2F740QMYJ
http_header1
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1pZQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAAsAAAACAAAAI1NFU1NJT05JRF82QlBTMjFJOUZLSFJXMlFZRlhMMkZGMDU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKiwgYXBwbGljYXRpb24vanNvbgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBydS1tZAAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAABQAAAAlfQ1BLUEtTVFkAAAAHAAAAAQAAAA8AAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
12544
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\getmac.exe /V
sc_process64
%windir%\sysnative\getmac.exe /V
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFpKj6wjeTv+jkvV2oKPV4oxmMWb/goJlnmx050yZrWRDPbb7kmST84pjx2qmD4N240vuPpIy3JzjfximH+OiBDmz1q6T2WrjeDJT9gcSbsyE857XflDEK73pqcmWPQyTLE4d2TaoqjExNiH0fG4h1aChr1NBa4bBCRyb4TsurxQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
8.72947712e+08
unknown2
AAAABAAAAAEAAASeAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Put/2003/WAIV922G69FS
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
watermark
987654321

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 19 IoCs

Processes:

powershell.exe

flow	pid	process
4	2008	powershell.exe
5	2008	powershell.exe
6	2008	powershell.exe
9	2008	powershell.exe
10	2008	powershell.exe
11	2008	powershell.exe
13	2008	powershell.exe
14	2008	powershell.exe
15	2008	powershell.exe
17	2008	powershell.exe
18	2008	powershell.exe
19	2008	powershell.exe
21	2008	powershell.exe
22	2008	powershell.exe
23	2008	powershell.exe
25	2008	powershell.exe
26	2008	powershell.exe
27	2008	powershell.exe
29	2008	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2008 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2008 powershell.exe

pid	process
2008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-58-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2008-60-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2008-61-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-59-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-62-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-63-0x0000000002AE0000-0x0000000002B68000-memory.dmp

Filesize
544KB

Download
memory/2008-64-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-65-0x0000000002A00000-0x0000000002A02000-memory.dmp

Filesize
8KB

Download
memory/2008-66-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-68-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-67-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2008-69-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads