cobaltstrike | 4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5 | Triage

Sharing

General

Target

artifact.exe
Size

14KB
Sample

230528-f4x64aeg7v
MD5

fba508c9bfff2ed07fa1ef7d622d9c77
SHA1

60f1d95d309161d95def4915a316c6b9e0aeeda1
SHA256

4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5
SHA512

8a73c946c9bd1147a94d76f42f08e3555bdc89a76ccfb52edd52a86fd4e0f3d1d5785ec655fb340cd3608fdda34a9a8a8fc7769233d932c6bfb5baafcf4876e1
SSDEEP

192:kHCugRK83SxHn2OQ/dmBI4KBPwgir+xzRCvobqUqV/Qjo7AGa:ICxRKqbOCdWIVBPk+xzR/fCXAn

Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://0.tcp.jp.ngrok.io:12337/FFdl

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://0.tcp.jp.ngrok.io:12337/ga.js

Attributes

access_type
512
host
0.tcp.jp.ngrok.io,/ga.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
12337
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
watermark
305419896

Targets

- Target
  
  artifact.exe
- Size
  
  14KB
- MD5
  
  fba508c9bfff2ed07fa1ef7d622d9c77
- SHA1
  
  60f1d95d309161d95def4915a316c6b9e0aeeda1
- SHA256
  
  4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5
- SHA512
  
  8a73c946c9bd1147a94d76f42f08e3555bdc89a76ccfb52edd52a86fd4e0f3d1d5785ec655fb340cd3608fdda34a9a8a8fc7769233d932c6bfb5baafcf4876e1
- SSDEEP
  
  192:kHCugRK83SxHn2OQ/dmBI4KBPwgir+xzRCvobqUqV/Qjo7AGa:ICxRKqbOCdWIVBPk+xzR/fCXAn
Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

cobaltstrikemetasploit305419896backdoortrojan