Overview

overview

10

Static

static

10

Novo Docum...to.ps1

windows7-x64

10

Novo Docum...to.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Novo Documento de Texto.txt

  • Size

    2KB

  • Sample

    230405-vfmg1sgb45

  • MD5

    e5d034552759bd4037a70b5feee1da62

  • SHA1

    f83de566a87e80cac8a341b5f940d35e850db3bd

  • SHA256

    816a3190974e97c934dc216fa45c0586c50e49484399110342244ab5b617abe4

  • SHA512

    4c6e27e43d398a61f2278c4ee80e8fb94fc730b8df6b072cd7e90a144dd6730a66e1edf6405f75d04d7cc719b25bf499e7cdb8a2098ae57e30410c4284e7642f

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://195.123.241.193:80/interpret/ct/YXNNJEPFEK8

Attributes
  • user_agent

    Accept: application/json, application/xhtml+xml, application/xml Accept-Language: fr-ca Accept-Encoding: *, br User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://195.123.241.193:80/study/v9.24/F6J9IA6H

Attributes
  • access_type

    512

  • host

    195.123.241.193,/study/v9.24/F6J9IA6H

  • http_header1

    AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKiwgYXBwbGljYXRpb24vanNvbgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlcy11eQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAAsAAAACAAAAJFJZX1BISUc2WjA2NUk4Q05IM1NXMzBaWFk1T1ZLTkRUWDlKPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAADlBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgYXBwbGljYXRpb24veGh0bWwreG1sLCB0ZXh0L2h0bWwAAAAKAAAAE0FjY2VwdC1MYW5ndWFnZTogdmUAAAAKAAAAHUFjY2VwdC1FbmNvZGluZzogYnIsIGlkZW50aXR5AAAABwAAAAAAAAAPAAAACAAAAAUAAAAJX0pQT0xBQlNUAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    10496

  • polling_time

    5000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\w32tm.exe

  • sc_process64

    %windir%\sysnative\Locator.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaocmOMmJuFkYoayAIfroEt1z9ziv66pGDDglVGIwoG4T7Cyvw4iLmRfS80OwkwbfSPJ5sypACc42pwhjqPQiCP7z5Zsk0RePmmVqpDq1+pxQ/VI7wEMGKBVKjWz3WCLPYbdPm3Z1VlObaqjFY4zGnsi/HmGR4eon7BqFNevBRPwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    8.72947712e+08

  • unknown2

    AAAABAAAAAEAAAOOAAAAAgAABJ4AAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /Update/v10.7/G5BOA7UF

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

  • watermark

    391144938

Targets

    • Target

      Novo Documento de Texto.txt

    • Size

      2KB

    • MD5

      e5d034552759bd4037a70b5feee1da62

    • SHA1

      f83de566a87e80cac8a341b5f940d35e850db3bd

    • SHA256

      816a3190974e97c934dc216fa45c0586c50e49484399110342244ab5b617abe4

    • SHA512

      4c6e27e43d398a61f2278c4ee80e8fb94fc730b8df6b072cd7e90a144dd6730a66e1edf6405f75d04d7cc719b25bf499e7cdb8a2098ae57e30410c4284e7642f

    Score
    10/10
    cobaltstrike391144938backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks