cobaltstrike | 159777d6f03d56a5d1b6f8354347a44dea84be9f85b7ceb527b54f955922d461

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111.exe
Size

398KB
MD5

606cdd3473606ff8fc2d16deea362c36
SHA1

307ac70d2420e71a4ac41f58894a2cac09cef8d7
SHA256

159777d6f03d56a5d1b6f8354347a44dea84be9f85b7ceb527b54f955922d461
SHA512

6296607550137dcc9b10da1822e272e1ebc313c3cc4e4743dd44abc817aa37c2ad4c40e9c1f03cee4938f5313dfb96f48195125496b11ae8d9334e8fe8ce9bc0
SSDEEP

6144:srBCf66A7WpXku3S75A8oS8lMSDkXcJJJ655ZZoMTuk76H2nqbc3rmv4s68dTlci:sc66A7UUu325A/AeGqbc3JcEPRsO4

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://47.111.135.21:27001/j.ad

Attributes

access_type
512
beacon_type
2048
host
47.111.135.21,/j.ad
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
27001
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Touch)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

111.exe

description	pid	process	target process
PID 2000 wrote to memory of 3504	2000	111.exe	notepad.exe
PID 2000 wrote to memory of 3504	2000	111.exe	notepad.exe
PID 2000 wrote to memory of 3504	2000	111.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\111.exe
"C:\Users\Admin\AppData\Local\Temp\111.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

\??\c:\windows\notepad.exe
c:\windows\notepad.exe
2⤵
PID:3504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-133-0x00007FF693550000-0x00007FF6935AB000-memory.dmp

Filesize
364KB

Download
memory/3504-134-0x0000023F41470000-0x0000023F41870000-memory.dmp

Filesize
4.0MB

Download
memory/3504-135-0x0000023F41870000-0x0000023F418BC000-memory.dmp

Filesize
304KB

Download
memory/3504-136-0x0000023F41870000-0x0000023F418BC000-memory.dmp

Filesize
304KB

Download