cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

Downloads.rar
Size

7.1MB
Sample

230324-n7p9nagc2s
MD5

3ed5a87ced227e07a259052206745bf5
SHA1

4d34e9540ca2e05001c44028ff0ad2078078ce8b
SHA256

139cdb6becf2a2fa239d1f35acfc2db3f913afa6591b87d44b5e9d9b531dfa86
SHA512

cdc083a17bc1469550eaab7c6c018ff9802c071c6d35dd0469fe1ad154580c502f47048054857ff2b1f6258827a565fd0b85ad9b5bb33780f8e60f10326efd92
SSDEEP

196608:xJFtl8A3OaGGyIxIl+UKu2aFeluNjVm5+QZN00GDRZD:PlFQ8S+Ru2aG8qlZPuRZ

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://183.60.219.35:80/vue.min.js

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Host: 360update.360.cn

Extracted

Family

cobaltstrike

Botnet

100000000

http://183.60.219.35:80/api/getit

http://49.79.225.35:80/api/getit

http://111.7.110.35:80/api/getit

http://1.193.146.35:80/api/getit

http://118.112.225.35:80/api/getit

http://118.182.249.49:80/api/getit

http://42.81.98.35:80/api/getit

Attributes

access_type
512
host
183.60.219.35,/api/getit,49.79.225.35,/api/getit,111.7.110.35,/api/getit,1.193.146.35,/api/getit,118.112.225.35,/api/getit,118.182.249.49,/api/getit,42.81.98.35,/api/getit
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCELS0IwIRLnAAUxymQ8eY7I/IiIHxMk74CKVpbCv/hDhOU/PqGcgnQ1KY2VOq73+kUXpSMjEBlznrj3fUyZzDeuM74QTcyDYkOSOoCryAw0/dSwP7YMDkRlvxgh0flbXIwBybACCqm1Y1PNRCMUQrd+csGRIueGSigF+FRv9uVowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/postit
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000000

Extracted

Family

cobaltstrike

Botnet

391144938

http://39.98.169.74:8080/mall_100_100.html

Attributes

access_type
512
host
39.98.169.74,/mall_100_100.html
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABpSZWZlcmVyOiBodHRwczovLzEwMDg2LmNuLwAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAMFJlZmVyZXI6IGh0dHBzOi8vc2hvcC4xMDA4Ni5jbi9tYWxsXzEwMF8xMDAuaHRtbAAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFHNyY2hmcm9tPW5SS2p4elpSUnh4AAAACQAAABJmaWVsZG5hbWU9Q3pMdUV4S2wAAAAJAAAAFHNlYXJjaHNvcnRpZD1NYnpTRW5CAAAABwAAAAEAAAANAAAAAgAAACphaWRfPTUyMjAwNTcwNSZhY2N2ZXI9MSZzaG93dHlwZT1lbWJlZCZ1YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
30000
port_number
8080
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBEy1s0LexKpvJxFPuF4SnuvLLt7qBQQJa6AL1GAgy+dT3Yb76ieLbE9vhHouh2kWI7/PlTGfwLlTpT3zIkwBSAP1Ux8LNsCb7NTwEStKREiLiO29vskZlW8HDpRb6zGejRSjnzWGFohkKnQEfdmLUhQ7wagU1GaVCgFUKH0M00QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.03243264e+08
unknown2
AAAABAAAAAEAAAglAAAAAgAACCUAAAACAAACyAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/ajax/recharge/recharge.json
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
391144938

Extracted

Family

cobaltstrike

http://192.168.20.15:801/9Ekt

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

Targets

- Target
  
  12493ec6b59188a080961436130f4cba.exe.vir
- Size
  
  250KB
- MD5
  
  12493ec6b59188a080961436130f4cba
- SHA1
  
  019c2e8f059291c9f9dc2958f8e1815b36e5e0ea
- SHA256
  
  9bfc115e306fd5de28d6392cb4303a9ee41890d6bb27da00d41e7b335eb0b72e
- SHA512
  
  0a270a9b7b3ee2004e6b3560e121047d93b3a8522b25591e2364abce65c4ef7afbdf8a9754220c04af63bafc2d4099ecb1e5f6293c27918b1944d06285316cfd
- SSDEEP
  
  3072:ac+uy5u8vGRlIqw+Xs8GBccgOrc57aOJqq5DYejipqi1fffffffffffffffffffh:ahXxv8le+rAF6st1fv
Score

10^/10

cobaltstrike metasploit 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
behavioral1 behavioral2
- Target
  
  9e7d06f01a6535531b6e098f6dd3eb47.exe.vir
- Size
  
  6.1MB
- MD5
  
  9e7d06f01a6535531b6e098f6dd3eb47
- SHA1
  
  b1389c46288f8674b591f2bbcf41920958e96962
- SHA256
  
  1792595b55a0ccf8aef23354eafb24844581c4f862a514e42f67127738b71f63
- SHA512
  
  ae1bd9c677d62f16dc0191d6693d414188885f43897a1b40475be3ff1d3483f27c1879f897c30743f2519638c81c11e72ebf363deb85c584b852cf5e851dd3bf
- SSDEEP
  
  49152:jpdCnUmxN53Q2rb/T4vO90d7HjmAFd4A64nsfJ60jn1m4tQGYaVDb1U37t+0nWl5:83QuXwsAXEY/+6QII
Score

10^/10

cobaltstrike 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4
- Target
  
  c5b25a24f7112f1ee9300986004c45d9.com.vir
- Size
  
  10.5MB
- MD5
  
  c5b25a24f7112f1ee9300986004c45d9
- SHA1
  
  bf725cdd9a3d7d8d288b0b7b99fbc084323793c8
- SHA256
  
  e1dd38c882c54782356b09c4165b6f59ba5f7abd2627c89398635f1d85e841be
- SHA512
  
  c14fc2d8f927144eae4b1d7eebc3372f40044039bdaa4ae726f2aa3d8f6560ca17ff93be2f4a8f548cc2208147a708409e863b2e9e08d73bd70c3b9df73b2f70
- SSDEEP
  
  49152:f97M8Pmta38OzRrb/TmvO90d7HjmAFd4A64nsfJsdjx4PdKEvZFxR+vdRGGjjyh6:r3NiXVAGVjp6TEr7lQHJ/R9IfMvu
Score

1^/10
behavioral5 behavioral6
- Target
  
  ce8bface0c9e56ab96d4bc06b76083aa.exe.vir
- Size
  
  2.7MB
- MD5
  
  ce8bface0c9e56ab96d4bc06b76083aa
- SHA1
  
  67a648847de158f40ac710dfb90a17d2ff49b9a6
- SHA256
  
  635eec28f0b72fb0b6a1542766ec4773559579e37dd7949fa41f57e386c3adfd
- SHA512
  
  57a141fd8fff049dad91458d84755a909bb90ccd8c879ce1928897acada96cc06d5c6e63c6a936c8ac9314734acf4b6d28404f67beb0263c883215eb620dc1f9
- SSDEEP
  
  49152:hRkjGFXsl3Pza68rb/T3vO90d7HjmAFd4A64nsfJjAKhH4+stNms6zo0qYgNCUOG:Ol3PbstNms6zoSGppTOZ
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

MetaSploit

Cobaltstrike

Cobaltstrike

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8