cobaltstrike | 4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5

General

Target

artifact.exe
Size

14KB
MD5

fba508c9bfff2ed07fa1ef7d622d9c77
SHA1

60f1d95d309161d95def4915a316c6b9e0aeeda1
SHA256

4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5
SHA512

8a73c946c9bd1147a94d76f42f08e3555bdc89a76ccfb52edd52a86fd4e0f3d1d5785ec655fb340cd3608fdda34a9a8a8fc7769233d932c6bfb5baafcf4876e1
SSDEEP

192:kHCugRK83SxHn2OQ/dmBI4KBPwgir+xzRCvobqUqV/Qjo7AGa:ICxRKqbOCdWIVBPk+xzR/fCXAn

Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://0.tcp.jp.ngrok.io:12337/FFdl

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://0.tcp.jp.ngrok.io:12337/ga.js

Attributes

access_type
512
host
0.tcp.jp.ngrok.io,/ga.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
12337
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

artifact.exe

description	pid	process	target process
PID 864 set thread context of 2600	864	artifact.exe	rundll32.exe
PID 864 set thread context of 4608	864	artifact.exe	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2116 NOTEPAD.EXE

pid	process
2116	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

artifact.exe

description	pid	process	target process
PID 864 wrote to memory of 2600	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 2600	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 2600	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 2600	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 4608	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 4608	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 4608	864	artifact.exe	rundll32.exe
PID 864 wrote to memory of 4608	864	artifact.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\artifact.exe
"C:\Users\Admin\AppData\Local\Temp\artifact.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\syswow64\rundll32.exe
2⤵
PID:2600

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\syswow64\rundll32.exe
2⤵
PID:4608

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-133-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/864-134-0x0000000003930000-0x0000000003D30000-memory.dmp

Filesize
4.0MB

Download
memory/864-135-0x0000000003D30000-0x0000000003D6D000-memory.dmp

Filesize
244KB

Download
memory/864-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/864-137-0x0000000003D30000-0x0000000003D6D000-memory.dmp

Filesize
244KB

Download
memory/864-164-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/864-165-0x0000000003D30000-0x0000000003D6D000-memory.dmp

Filesize
244KB

Download
memory/2600-143-0x0000000000110000-0x0000000000138000-memory.dmp

Filesize
160KB

Download
memory/2600-145-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/2600-148-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/4608-161-0x0000000000760000-0x00000000007A7000-memory.dmp

Filesize
284KB

Download
memory/4608-163-0x00000000024E0000-0x000000000252A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads