cobaltstrike | 139cdb6becf2a2fa239d1f35acfc2db3f913afa6591b87d44b5e9d9b531dfa86

Analysis

max time kernel
156s
max time network
171s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12493ec6b59188a080961436130f4cba.exe
Size

250KB
MD5

12493ec6b59188a080961436130f4cba
SHA1

019c2e8f059291c9f9dc2958f8e1815b36e5e0ea
SHA256

9bfc115e306fd5de28d6392cb4303a9ee41890d6bb27da00d41e7b335eb0b72e
SHA512

0a270a9b7b3ee2004e6b3560e121047d93b3a8522b25591e2364abce65c4ef7afbdf8a9754220c04af63bafc2d4099ecb1e5f6293c27918b1944d06285316cfd
SSDEEP

3072:ac+uy5u8vGRlIqw+Xs8GBccgOrc57aOJqq5DYejipqi1fffffffffffffffffffh:ahXxv8le+rAF6st1fv

Score

10^/10

cobaltstrike metasploit 100000000 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://183.60.219.35:80/vue.min.js

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Host: 360update.360.cn

Extracted

Family

cobaltstrike

Botnet

100000000

http://183.60.219.35:80/api/getit

http://49.79.225.35:80/api/getit

http://111.7.110.35:80/api/getit

http://1.193.146.35:80/api/getit

http://118.112.225.35:80/api/getit

http://118.182.249.49:80/api/getit

http://42.81.98.35:80/api/getit

Attributes

access_type
512
host
183.60.219.35,/api/getit,49.79.225.35,/api/getit,111.7.110.35,/api/getit,1.193.146.35,/api/getit,118.112.225.35,/api/getit,118.182.249.49,/api/getit,42.81.98.35,/api/getit
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCELS0IwIRLnAAUxymQ8eY7I/IiIHxMk74CKVpbCv/hDhOU/PqGcgnQ1KY2VOq73+kUXpSMjEBlznrj3fUyZzDeuM74QTcyDYkOSOoCryAw0/dSwP7YMDkRlvxgh0flbXIwBybACCqm1Y1PNRCMUQrd+csGRIueGSigF+FRv9uVowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/postit
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

C:\Users\Admin\AppData\Local\Temp\12493ec6b59188a080961436130f4cba.exe
"C:\Users\Admin\AppData\Local\Temp\12493ec6b59188a080961436130f4cba.exe"
1⤵
PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-54-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/548-55-0x0000000003850000-0x0000000003CC2000-memory.dmp

Filesize
4.4MB

Download
memory/548-56-0x0000000003850000-0x0000000003CC2000-memory.dmp

Filesize
4.4MB

Download
memory/548-57-0x0000000003450000-0x00000000035A6000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads