cobaltstrike | 5c3fc55388967216e5eda977151f0f85c5456124c4e98b08b0bafd83f4d023ff

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cs.ps1
Size

224KB
MD5

fe23dd4aca8501992dc0bf752173fec5
SHA1

0b89835536671fd7c983e88547dedca313aff065
SHA256

5c3fc55388967216e5eda977151f0f85c5456124c4e98b08b0bafd83f4d023ff
SHA512

0e0324217e479f6c0373575ac3695e4aa083b87bef4eb3003ba41f03ec076ccf68b047788162c268ff3bcf74f4b027ce97df4ccd56a20cf5a0748eb2754255a0
SSDEEP

6144:qQKKwu8nhXHwYc7QgPj1LSaF1Pl+qtT4i8z9Bv2E0T:qKwdFS7QEX1d+q94PsEi

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://159.65.62.10:443/rs.js

Attributes

access_type
512
beacon_type
2048
host
159.65.62.10,/rs.js
http_header1
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAABwAAAAAAAAALAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhpbnZvaWNlPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
60964
port_number
443
sc_process32
%windir%\syswow64\regsvr32.exe
sc_process64
%windir%\sysnative\regsvr32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA8mnkk8UmUDunpetKUKs43ZhEnX4qr4SaxEMjNs6lBAJtrtkRAO5++OvmT0XevR2LTRQVlkEtqxxrx5GYrEgEg4Vejhv8ys8UuoxA2U4pt1OQdzB+VSg9RVgYiaZ0PVZ8KEPrTBohxRIRZRZvo2/TSo1lZGdaAKB36IfG/jMuXQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.445101824e+09
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/link
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

3 4920 powershell.exe
34 4920 powershell.exe
47 4920 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4920 powershell.exe
4920 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4920 powershell.exe

flow	pid	process
3	4920	powershell.exe
34	4920	powershell.exe
47	4920	powershell.exe

pid	process
4920	powershell.exe
4920	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4920	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cs.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmawtr0z.mnv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4920-142-0x00000250F77E0000-0x00000250F7802000-memory.dmp

Filesize
136KB

Download
memory/4920-144-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-143-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-145-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-146-0x00000250F83D0000-0x00000250F8453000-memory.dmp

Filesize
524KB

Download
memory/4920-147-0x00000250F8380000-0x00000250F83C1000-memory.dmp

Filesize
260KB

Download
memory/4920-148-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-149-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-150-0x00000250F6BF0000-0x00000250F6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-151-0x00000250F8380000-0x00000250F83C1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads