cobaltstrike | 17ab123e35e0532b63a09c89db6d57ad19b17488f2211f6e6e2fcc3f091b90f2

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vx.exe
Size

385KB
MD5

0483d8bc0a1258011f297d1984f040c7
SHA1

fe2ed57c265d6e99eeba2118e500765354afdcff
SHA256

17ab123e35e0532b63a09c89db6d57ad19b17488f2211f6e6e2fcc3f091b90f2
SHA512

5d7ddc1a9a4a760c3b19387c7a1c8a898093b55ff52b095d1b9c5db0d043375cad79e804b82f1d7375c17190f054f357d4e62224e30b1dc263161b84168a926f
SSDEEP

3072:0orV6p1eJaaPASzaq/13Ja27/7qUF7+3WiXhNivSJFIjHr2oXcWcHDNVRMyObobL:R6WaafB7/OUtiXhNoSJ2GFWeNDw0Ou1

Score

10^/10

cobaltstrike 666666 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

http://124.223.3.43:8044/_/scs/mail-static/_/js/

Attributes

access_type
512
host
124.223.3.43,/_/scs/mail-static/_/js/
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAVPU0lEPQAAAAYAAAAGQ29va2llAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAAZETlQ6IDEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACQAAAA11aT1kMzI0NGM0NzA3AAAACQAAAAtob3A9NjkyODYzMgAAAAkAAAAHc3RhcnQ9MAAAAAoAAAA9Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7Y2hhcnNldD11dGYtOAAAAAcAAAAAAAAAAwAAAAIAAAAFT1NJRD0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
3840
polling_time
60000
port_number
8044
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcG2kqoSw8E9T8Cl9ycqidjuKPzv5EblAlDcEXeYDWavhJj4c7w1gqyJNT4v8+gowa/baCxxAWamdmIMA24OZv3FI2ei/sDD9Pklhapa7P3cremdIeGotOLoscwepsVXG+NOEZ0tVsC0hKGMHwk9Qz/2KKMCVG005Im2muwaj5WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
5.37071616e+08
unknown2
AAAABAAAAAEAAAF3AAAAAQAAAPoAAAACAAAABAAAAAIAAAAcAAAAAgAAACQAAAACAAAAEgAAAAIAAAAEAAAAAgAAABwAAAACAAAAJAAAAAIAAAARAAAAAgAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/mail/u/0/
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)
watermark
666666

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

vx.exe

description	pid	process	target process
PID 1732 wrote to memory of 900	1732	vx.exe	cmd.exe
PID 1732 wrote to memory of 900	1732	vx.exe	cmd.exe
PID 1732 wrote to memory of 900	1732	vx.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\vx.exe
"C:\Users\Admin\AppData\Local\Temp\vx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\R8QDM0EXOA2EYF7R36BEA.tmp
2⤵
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\R8QDM0EXOA2EYF7R36BEA.tmp
Filesize
259KB

MD5
fb2e1f5b1fb0d27c73ad588f53e8760c

SHA1
2f74ac46bdac425e6434060cefb90d83d3711668

SHA256
a5fa5e0b3e8cddcc93588c56f1e08f94c17ac2736be6c7f16fb762ac03ce5ce6

SHA512
2f1ca8c5fe0457a5f7058040fb87b42f8f758ecbc593f2a89ef709282268d2cdc9ade6650e26a1f85bb8072cc9a47ab351f2029537eccf40dcdedf6aa1339496

Download Submit
memory/1732-59-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1732-60-0x0000000002350000-0x000000000239F000-memory.dmp

Filesize
316KB

Download
memory/1732-61-0x0000000002350000-0x000000000239F000-memory.dmp

Filesize
316KB

Download