cobaltstrike

General

Target

245f38b4b8a25754bf6e630f8e2acf59.ps1
Size

280KB
Sample

230409-a8mm9sgb64
MD5

25da2ffacd07ebf65a6b822026dc376a
SHA1

b3823cc7dd589652b08ea661ce7e0fca14a4e09d
SHA256

485263958f6879d443576f50cf7e10e48e8c05b2826ee175d28244f1aba991a4
SHA512

36360c3a0739b283b41b41c0e45b83987e70e819cfa0d2e67775f7a062f387cfcba47f5280200a7968504ab90a0fcc3d79547b4212964f40b6956fb6a4a6e99e
SSDEEP

6144:gnHrLhifxGFbvmUoNwVn2rf/I3U5LWNZeT8rLgC5616A:gnhGxGV4NLfw3U5sGIBA

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

206546002

C2

http://88.216.210.27:80/design/query/9X5M3SOE0F

Attributes

access_type
512
host
88.216.210.27,/design/query/9X5M3SOE0F
http_header1
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgYXBwbGljYXRpb24vanNvbiwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlcy1kbwAAAAoAAAAcQWNjZXB0LUVuY29kaW5nOiAqLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAA0AAAACAAAABl9XR2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAADdBY2NlcHQ6IGltYWdlLyosIGFwcGxpY2F0aW9uL3htbCwgYXBwbGljYXRpb24veGh0bWwreG1sAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IGx2AAAACgAAAB1BY2NlcHQtRW5jb2Rpbmc6IGlkZW50aXR5LCBicgAAAAcAAAAAAAAADwAAAAgAAAAFAAAACV9TVUpQTVdUWgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
8960
polling_time
93780
port_number
80
sc_process32
%windir%\syswow64\DevicePairingWizard.exe
sc_process64
%windir%\sysnative\DevicePairingWizard.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJzVpu9+f4l/QIUotuiQA+vvxdM3q/XGu77WogAe90LRUknEdoD6YnU32G/ts9dbSwG6HySt7cLn5B3FsomLWjBbssH9e31TihCUvZbK6PRzmLW4SBgZigBWLXZgu7+SwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
8.72947712e+08
unknown2
AAAABAAAAAEAAAOOAAAAAgAABJ4AAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/run/redirect/QD77MO6RQ
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.1805 Safari/537.36 MVisionPlayer/1.0.0.0
watermark
206546002

Targets

- Target
  
  245f38b4b8a25754bf6e630f8e2acf59.ps1
- Size
  
  280KB
- MD5
  
  25da2ffacd07ebf65a6b822026dc376a
- SHA1
  
  b3823cc7dd589652b08ea661ce7e0fca14a4e09d
- SHA256
  
  485263958f6879d443576f50cf7e10e48e8c05b2826ee175d28244f1aba991a4
- SHA512
  
  36360c3a0739b283b41b41c0e45b83987e70e819cfa0d2e67775f7a062f387cfcba47f5280200a7968504ab90a0fcc3d79547b4212964f40b6956fb6a4a6e99e
- SSDEEP
  
  6144:gnHrLhifxGFbvmUoNwVn2rf/I3U5LWNZeT8rLgC5616A:gnhGxGV4NLfw3U5sGIBA
Score

10^/10

cobaltstrike 206546002 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2