cobaltstrike

General

Target

Desktop.rar
Size

15.7MB
Sample

230329-rv6mnagf95
MD5

4647934c79c86c1bdc643a6af0c348b8
SHA1

ebeae1c2936e20b4e26000dbe0392b53b38e5005
SHA256

9a55a663051c0fa0834a6197322a80713b285eacb6d0181328733340e8c467bc
SHA512

396cf8bff06e96e60043832cd44b3fdbde960346cabc545faccd5b97b497b950f2ba952ed28f57291ffacc8b1bf1062d3993e822b0b56b4ca66996abbef05cf1
SSDEEP

393216:lUIfZTiu/u47R0nGW3Jd+uEcUOqBl9xIaYkl7:lfxiCu47mnlJd+9cUdx3j9

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

C2

http://www.teamcolors.xyz:443/common-1.8.0.min.js

http://192.168.179.128:80/ciGJ

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.teamcolors.xyz Accept-Encoding: gzip, deflate User-Agent: Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://www.teamcolors.xyz:443/common-1.8.1.min.js

Attributes

access_type
512
beacon_type
2048
host
www.teamcolors.xyz,/common-1.8.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAYSG9zdDogd3d3LnRlYW1jb2xvcnMueHl6AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAYSG9zdDogd3d3LnRlYW1jb2xvcnMueHl6AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA8AAAANAAAABQAAAAhfX2NmZHVpZAAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEFs7Cw2l72lQp/AU6vktMwZ2l6qvEa8HBynRbDw4z6BSkN1g9QRl/iT+Ej2R8r6weEJK/XjnucHPUBzKLZx6dbb3olGQlHjdnloi0+ZYhzGraCVl7ylhg0HB8UMyQUHQRInVGc3QFF5GVPAsDrRVG4m4DU7mZlNCzzGOBtbprqwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/common-1.8.2.min.js
user_agent
Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)
watermark
100000000

Targets

- Target
  
  26b961216d79f3e13ec3293d14803f63.exe.vir
- Size
  
  7.2MB
- MD5
  
  26b961216d79f3e13ec3293d14803f63
- SHA1
  
  4a66ef8df86737c73ac850579c7c1fcce6da0658
- SHA256
  
  13a2b8c0ad30490dcebe5c87f99dec68a5eeeea01d125819dc95f8197adfe1dc
- SHA512
  
  ce621f26a65e259fcaf40e6caab9ee16cea3a688728818f2825cd3a7c6c34604b5344affbfc88f669f2bd19d1372da0be8a6c5a570eb34a1671be2cc91edeb41
- SSDEEP
  
  196608:mnLaAXlwV5UuWJysVYvsO5+DIEVFKgd7aEO4o0Ncm:axl8WJO+DIEBd7Jg0Om
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  d1c692cf0614c4e0a688cd3e87b78d12.exe.vir
- Size
  
  9.0MB
- MD5
  
  d1c692cf0614c4e0a688cd3e87b78d12
- SHA1
  
  65756ca25f579f8c9896144d6315f590113a3927
- SHA256
  
  0a85b3109591406eb3f28ad604c8ca099a141612d51583a05757a41a894ec4e0
- SHA512
  
  ea5592fd011ebea66e7e0b7446e4006576106d1e8af571771e577e2a9e8854dcd9d7bfe2317383a6fd94372e770dd1671f87372d9598a3bdc8ee9437139dbb27
- SSDEEP
  
  196608:XpwZC6c45SyY+GOe42yOmL2Vmd6+Dfc/f/+SmpsEVRadR+yDp:5+nSyY+k4tOmL2Vmd6mfc/ebpnRiBp
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Loads dropped DLL
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Loads dropped DLL

Cobaltstrike

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4