cobaltstrike

General

Target

cs.ps1
Size

224KB
Sample

230403-1w8yvahb4v
MD5

fe23dd4aca8501992dc0bf752173fec5
SHA1

0b89835536671fd7c983e88547dedca313aff065
SHA256

5c3fc55388967216e5eda977151f0f85c5456124c4e98b08b0bafd83f4d023ff
SHA512

0e0324217e479f6c0373575ac3695e4aa083b87bef4eb3003ba41f03ec076ccf68b047788162c268ff3bcf74f4b027ce97df4ccd56a20cf5a0748eb2754255a0
SSDEEP

6144:qQKKwu8nhXHwYc7QgPj1LSaF1Pl+qtT4i8z9Bv2E0T:qKwdFS7QEX1d+q94PsEi

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://159.65.62.10:443/rs.js

Attributes

access_type
512
beacon_type
2048
host
159.65.62.10,/rs.js
http_header1
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAABwAAAAAAAAALAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhpbnZvaWNlPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
60964
port_number
443
sc_process32
%windir%\syswow64\regsvr32.exe
sc_process64
%windir%\sysnative\regsvr32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA8mnkk8UmUDunpetKUKs43ZhEnX4qr4SaxEMjNs6lBAJtrtkRAO5++OvmT0XevR2LTRQVlkEtqxxrx5GYrEgEg4Vejhv8ys8UuoxA2U4pt1OQdzB+VSg9RVgYiaZ0PVZ8KEPrTBohxRIRZRZvo2/TSo1lZGdaAKB36IfG/jMuXQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.445101824e+09
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/link
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
100000

Targets

- Target
  
  cs.ps1
- Size
  
  224KB
- MD5
  
  fe23dd4aca8501992dc0bf752173fec5
- SHA1
  
  0b89835536671fd7c983e88547dedca313aff065
- SHA256
  
  5c3fc55388967216e5eda977151f0f85c5456124c4e98b08b0bafd83f4d023ff
- SHA512
  
  0e0324217e479f6c0373575ac3695e4aa083b87bef4eb3003ba41f03ec076ccf68b047788162c268ff3bcf74f4b027ce97df4ccd56a20cf5a0748eb2754255a0
- SSDEEP
  
  6144:qQKKwu8nhXHwYc7QgPj1LSaF1Pl+qtT4i8z9Bv2E0T:qKwdFS7QEX1d+q94PsEi
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2