cobaltstrike | 67707bb321d85362d9bc07770702cc1f9f64e6a9ba119c65abe1ed4e3f6627d8

General

Target

tmp.exe
Size

645KB
MD5

779169ff3933adcd80e0dda02d5143af
SHA1

6e0c8081be19df6e6c10e18167d990ccda8ed8aa
SHA256

67707bb321d85362d9bc07770702cc1f9f64e6a9ba119c65abe1ed4e3f6627d8
SHA512

e5fc8d887deefc3de410badf7639c6498a96f20da3ebf3e67a96459713d77faf11531014764ef8027b82cf12a09e08b542464b645cb029ac3339b7c7759df12a
SSDEEP

12288:7nbsfvqgTnOOUWe1Z6YiEiK6jb8czDFvEa5RK2AosNfnnzHX8d:o1TNUj1mR

Score

10^/10

cobaltstrike metasploit 0 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://62.204.41.45:1599/feGJ

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)

Extracted

Family

cobaltstrike

Botnet

0

C2

http://62.204.41.45:1599/en_US/all.js

Attributes

access_type
512
host
62.204.41.45,/en_US/all.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
1599
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1696 set thread context of 468 1696 tmp.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegSvcs.exe

pid process

468 RegSvcs.exe

description	pid	process	target process
PID 1696 set thread context of 468	1696	tmp.exe	RegSvcs.exe

pid	process
468	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tmp.exeRegSvcs.exe

description	pid	process	target process
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 1696 wrote to memory of 468	1696	tmp.exe	RegSvcs.exe
PID 468 wrote to memory of 1252	468	RegSvcs.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-76-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/468-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-84-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/468-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/468-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/468-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-83-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/468-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/468-75-0x0000000003A60000-0x0000000003E60000-memory.dmp

Filesize
4.0MB

Download
memory/468-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-71-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/468-73-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1252-77-0x0000000002AE0000-0x0000000002AF5000-memory.dmp

Filesize
84KB

Download
memory/1252-78-0x0000000002AE0000-0x0000000002AF5000-memory.dmp

Filesize
84KB

Download
memory/1252-82-0x0000000002B00000-0x0000000002B19000-memory.dmp

Filesize
100KB

Download
memory/1252-81-0x0000000002B00000-0x0000000002B19000-memory.dmp

Filesize
100KB

Download
memory/1696-54-0x0000000000D60000-0x0000000000E06000-memory.dmp

Filesize
664KB

Download
memory/1696-55-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1696-59-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/1696-58-0x0000000004250000-0x00000000042B0000-memory.dmp

Filesize
384KB

Download
memory/1696-57-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/1696-56-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads