cobaltstrike | 05c3f104d8553b0569df5a34242403bd2738f94433daa52fd52eaaeea57dde03

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

278KB
MD5

39b9b77f950a56b61419c2550c0ee2cf
SHA1

f33b06ec6583025ff1e982bd4b6854fc08785d99
SHA256

05c3f104d8553b0569df5a34242403bd2738f94433daa52fd52eaaeea57dde03
SHA512

204ca9e4112f759d585a2141b8e0ea622b2d392264c0c1b9b83ad3da746480dc3dc89b5c79c0d1be0b6a9c025762ddcf15a17024d02b65cdc8423c356486e74f
SSDEEP

6144:4+gNabwK8yIuE0fVAqc+07zBF7zBSXFsj7dLetJw48:casKrJE0fVy+4BVBSXTJw48

Score

10^/10

cobaltstrike metasploit 100000 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://47.99.151.68:5555/Eqo7

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://47.99.151.68:5555/ptj

Attributes

access_type
512
host
47.99.151.68,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
5555
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClGo2bSqP37m+rcy5v61n5jiUJtep80WB1Adw9+C/q4NCplcnzU2rzPH9jokT2yE8lcscR7LhmBw/usYojG9UQhr+I+GRoQRdAbar+GtsnlRfnCqJYszfsgsCPdRRf94Qk+2k9I8j2xEHtYJhl/ZtUBMX2G0bLHNFgWoY+TfpvEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MDDCJS)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

main.exe

description pid process

Token: SeDebugPrivilege 2612 main.exe

description	pid	process
Token: SeDebugPrivilege	2612	main.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

main.execsc.execsc.exe

description	pid	process	target process
PID 2612 wrote to memory of 4220	2612	main.exe	csc.exe
PID 2612 wrote to memory of 4220	2612	main.exe	csc.exe
PID 2612 wrote to memory of 4220	2612	main.exe	csc.exe
PID 4220 wrote to memory of 1612	4220	csc.exe	cvtres.exe
PID 4220 wrote to memory of 1612	4220	csc.exe	cvtres.exe
PID 4220 wrote to memory of 1612	4220	csc.exe	cvtres.exe
PID 2612 wrote to memory of 212	2612	main.exe	csc.exe
PID 2612 wrote to memory of 212	2612	main.exe	csc.exe
PID 2612 wrote to memory of 212	2612	main.exe	csc.exe
PID 212 wrote to memory of 2492	212	csc.exe	cvtres.exe
PID 212 wrote to memory of 2492	212	csc.exe	cvtres.exe
PID 212 wrote to memory of 2492	212	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfhutqbn\xfhutqbn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7871.tmp" "c:\Users\Admin\AppData\Local\Temp\xfhutqbn\CSC59DE60E49AF04004A3DB5A70CFFC116.TMP"
3⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2hl1jihs\2hl1jihs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES807F.tmp" "c:\Users\Admin\AppData\Local\Temp\2hl1jihs\CSCB19225182C9F4305BB4735B9441C2A19.TMP"
3⤵
PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2hl1jihs\2hl1jihs.dll
Filesize
3KB

MD5
621a4e6dc03924cefc86288126ae675a

SHA1
6b15e5569b610cc2d8e8ddc64edbadf1260cd4a7

SHA256
f1e0edcceafecebcba264e8d4c02bf44535254b433e0e2e144f928db224ec8de

SHA512
28446a16552722c3cef57091e60ee1b22b1c0d370bf5b576a6fb5cefac771681ee2770cc3197a97fd8fb74e1a82f7a364082830cd9eb032bd8d9acb3f165fda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7871.tmp
Filesize
1KB

MD5
a3032210c410edc6b2895f503d7028ec

SHA1
a4164fa47bf115591ea60aeed7d49d5c8998d7e4

SHA256
fa29173cc2bfe7acd99434edd2df17a97ba9073c75b49808e98a24269773dd99

SHA512
036ab8e72f2b02a193c931e461b6d0581c275917087f3cad7d8bc3c2bded7108ed4779f90c98a49c51d3696be6d2c2f321f3f16f1269b268fe5036177215be05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES807F.tmp
Filesize
1KB

MD5
be84f513701df83b9bdf8a067d67c22c

SHA1
ee37ec25c29b18b0548cd5851d33043f90fa70f9

SHA256
a4b525de9a36a785cd4fbb6b6e08bcd8b29c02e52d388f15cd329d82e849e348

SHA512
c1f93967ffd2bc7cd236a4324b63090ffd3b8ff965101763faa9c33485262e3cc14d27b8a188dd1c310151311b714f175b727d3b22a493a9f7c8cc16b6d96e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfhutqbn\xfhutqbn.dll
Filesize
3KB

MD5
2aa701e731d407b2e2c3877c601f6663

SHA1
f08735711609e7d32a4ed2ceedb428dbd8790f88

SHA256
a7c9e66bf4b7d454586565e055913c248b77ef29666b00636ba1d7a3e05dc9ab

SHA512
50b3991d03db783a8deffe53ad6312ebcd440481fcd3ca09a2fa072e041f21c0f6e2fdd8e221bc44f5ee2eb71fc6c8a88cf7db5f7df6f1d0932cdce7d39c72f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hl1jihs\2hl1jihs.0.cs
Filesize
662B

MD5
e120a7f9ead5997e311f68b52dbd2fea

SHA1
7709193f527f62c833aaac70a95e26745574cf2c

SHA256
77f89e8d3e93de832f8a03e36a7883d096330ec8cb12a874339537cdf41def1c

SHA512
4eb92618b176b12af6f417ff44895a71d4663755afd99448cc4384d29f54752817e1d7f82db8023265c5fd9c29fe8aa3216936b0fc2de0d2d5fc316a702c38e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hl1jihs\2hl1jihs.cmdline
Filesize
214B

MD5
7a0830a373e355cf59778b23da06de5f

SHA1
41d3778f7c592f4f6779b15abfb7aa0399bee377

SHA256
24d38233069a5c146aa498fc2dac834293d409144fea8532dda97a7a9d977e30

SHA512
0868f3fe756af2ed14d416d96893c705b8dbcb9767db7da731cbe331171dc5eb80dbc3e3956519360c698395c7f22b1aa1d9271ad0c90fbe04d5d8a243df02ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hl1jihs\CSCB19225182C9F4305BB4735B9441C2A19.TMP
Filesize
652B

MD5
f8b377d68d711c1f13529aa0008f1079

SHA1
cc8c8d26117ac13758a8f2ad3b08dc77cd827331

SHA256
733d42c79d63c53e2533204d4600c6fdcd29434e1ab03fb6b988fa985f8f5fac

SHA512
cc2c5b0e6e46a1f92701a4a4b8680502ebe446c5d64c5a6eae8fc0c52029608cbdd56b9f3a9b5e9663aa01aa1ec4258b1fd96342123e711bc9660e2308e3b4f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfhutqbn\CSC59DE60E49AF04004A3DB5A70CFFC116.TMP
Filesize
652B

MD5
fd0b4b33712a618ea22b528cce9ce426

SHA1
f6c83f1ad43ee3bcdd91472997b2291bc7414b34

SHA256
4d6feb0700ad0922a5bd300473392a15675b71e4b02aa0c04c1431780436415c

SHA512
a90e2f20083ef4ed35926107ded3161b3157cf2e26188867edd888d704a7e0af49d64d7fc4b44c5ebde5fa83add84c54c0fc1183c2eecd46dc0647ac5fd5cb7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfhutqbn\xfhutqbn.0.cs
Filesize
595B

MD5
63df9e1bfaec1dcccd9e5792db223149

SHA1
a5735e57ce42e22ae519c95027e016d75d0ad2a9

SHA256
93b412153346dd89989ead78cf85039a2b9b81203e887daec875dcd8b307c7d7

SHA512
255773f57a4d8a1bdd3198c03002154cd2297bb95054c6ca0c621f0a2a7ab9d74b0c12575f0eb66d524fae0581587a19377266dcd5ad09ecd8077098b1066c18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfhutqbn\xfhutqbn.cmdline
Filesize
184B

MD5
d16983b7edcc7fa0be994b0a1560c8a0

SHA1
6a2f30935a9996c0143b8ea395e5cd3d1f9e0d35

SHA256
a9a0d1386e0415c888b33928422e98f6392892cf7b55c2a01ac5084947c19287

SHA512
399b5d2b78a30bdb03de4913e1080fb5847d205368288d6278c3cc1290e39893ffb3130da1264a0a63a8af9d94ad0030becc710c89782c018b984d940bb11d56

Download Submit
memory/2612-164-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/2612-166-0x0000000006A10000-0x0000000006E10000-memory.dmp

Filesize
4.0MB

Download
memory/2612-133-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-149-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-134-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-148-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-165-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2612-150-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-167-0x0000000006E10000-0x0000000006E4E000-memory.dmp

Filesize
248KB

Download
memory/2612-169-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-168-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-170-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-171-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2612-172-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download