cobaltstrike | 51a6cfe2097ea2e03ff885a6fe0083cfcd59e6042dbe8205834f3f9de88a8a9a

General

Target

f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps1
Size

279KB
MD5

8f96176279d6d78c3e40044939e028e6
SHA1

92b67e98138f65bbb6469afafb71cd49cde7a321
SHA256

f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98
SHA512

252bbfa9101662d59101d0599665cb3d41b7138742987b4ed3d1ee7a611e91b172a45c0a41ad0ee7d3514be08b0a83e827717e300df71a9e35535cb9219418e4
SSDEEP

6144:oxzX5tk9wGd8b6JDuwgCNx88x/4eVU68RgRXswQqn:+/kp8b6JDzxoqg8xRXQu

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://152.89.196.245:6789/match

Attributes

access_type
512
host
152.89.196.245,/match
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6789
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGFu6deNj54GwQLP/gvk2IXPhruZshiQwL+BaZCmm7xzfvvedCsNPTMAP+e3/zIeWtvCIby0zsYFDuKnF38h/iLsx3/vugYI9OQgXer0XD6u2mw0uO2bTdGz17fVzT4rJwxJo5PcF3qf/SXprY5GtDWKYffr6NCSrsLFDS2oLpbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
26	2024	powershell.exe
67	2024	powershell.exe
68	2024	powershell.exe
69	2024	powershell.exe
70	2024	powershell.exe
71	2024	powershell.exe
72	2024	powershell.exe
73	2024	powershell.exe
74	2024	powershell.exe
75	2024	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3768 powershell.exe
3768 powershell.exe
2024 powershell.exe
2024 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3768 powershell.exe
Token: SeDebugPrivilege 2024 powershell.exe

pid	process
3768	powershell.exe
3768	powershell.exe
2024	powershell.exe
2024	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3768 wrote to memory of 2024	3768	powershell.exe	powershell.exe
PID 3768 wrote to memory of 2024	3768	powershell.exe	powershell.exe
PID 3768 wrote to memory of 2024	3768	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebfbvcqq.053.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2024-168-0x0000000006990000-0x000000000700A000-memory.dmp

Filesize
6.5MB

Download
memory/2024-172-0x0000000006420000-0x000000000645E000-memory.dmp

Filesize
248KB

Download
memory/2024-177-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2024-174-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2024-173-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2024-148-0x0000000002130000-0x0000000002166000-memory.dmp

Filesize
216KB

Download
memory/2024-149-0x0000000004BF0000-0x0000000005218000-memory.dmp

Filesize
6.2MB

Download
memory/2024-167-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/2024-151-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2024-152-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/2024-153-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/2024-154-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/2024-171-0x00000000063E0000-0x0000000006414000-memory.dmp

Filesize
208KB

Download
memory/2024-169-0x00000000060B0000-0x00000000060CA000-memory.dmp

Filesize
104KB

Download
memory/2024-150-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3768-165-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-139-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-147-0x0000026FA4990000-0x0000026FA4B9A000-memory.dmp

Filesize
2.0MB

Download
memory/3768-170-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-145-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-140-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-166-0x0000026FA3430000-0x0000026FA3440000-memory.dmp

Filesize
64KB

Download
memory/3768-146-0x0000026FA4600000-0x0000026FA4776000-memory.dmp

Filesize
1.5MB

Download
memory/3768-160-0x0000026FA3F30000-0x0000026FA414C000-memory.dmp

Filesize
2.1MB

Download
memory/3768-133-0x0000026F8AE10000-0x0000026F8AE32000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing