cobaltstrike | b242d9c143c8e1b9266bc2d2fb937ae933b58e1cd291e4807ced1df5237cb52c

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07465599.exe
Size

7.4MB
MD5

e935248f8631314bbcb9bf90f2b496e5
SHA1

3ed3400e894db1205272161c06a6b8bcc5427853
SHA256

b242d9c143c8e1b9266bc2d2fb937ae933b58e1cd291e4807ced1df5237cb52c
SHA512

970c3dded9b2f6f1b2b064d1da511f6067043bdbbd80f56ba7c15724deafa5e953183fb160e260641c5d550909494c1c6a4d1aa5bced70f798b5fb73c777217d
SSDEEP

196608:nNgBf2V1N+u/JVhQ9onJ5hrZER7iLHdN2aV0:nNgBf2Vn+u/JVm9c5hlER7ix90

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://123.207.211.161:6000/nC6v

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Extracted

Family

cobaltstrike

Botnet

305419896

http://123.207.211.161:6000/ptj

Attributes

access_type
512
host
123.207.211.161,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
6000
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Loads dropped DLL 5 IoCs

Processes:

07465599.exe

pid process

1684 07465599.exe
1684 07465599.exe
1684 07465599.exe
1684 07465599.exe
1684 07465599.exe

pid	process
1684	07465599.exe
1684	07465599.exe
1684	07465599.exe
1684	07465599.exe
1684	07465599.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

07465599.exe07465599.exe

pid	process
948	07465599.exe
948	07465599.exe
1684	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe
948	07465599.exe
1684	07465599.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

07465599.exe

description	pid	process	target process
PID 948 wrote to memory of 1684	948	07465599.exe	07465599.exe
PID 948 wrote to memory of 1684	948	07465599.exe	07465599.exe

C:\Users\Admin\AppData\Local\Temp\07465599.exe
"C:\Users\Admin\AppData\Local\Temp\07465599.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\07465599.exe
"C:\Users\Admin\AppData\Local\Temp\07465599.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9482\VCRUNTIME140.dll
Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\VCRUNTIME140.dll
Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\_ctypes.pyd
Filesize
123KB

MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\_ctypes.pyd
Filesize
123KB

MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\base_library.zip
Filesize
1005KB

MD5
071472ae00d5f8650711c27117de77d3

SHA1
abbcf898b0df3eacc29d8b257ec22bd6710da60c

SHA256
deade67dbe5a4ae77194883b10dff18dc781180a685c181a3790e90e3499b3b7

SHA512
7fe7acce319fde392f6fd403be1a3488e3f00862d900ef33b5506219467440662fef016142f0f390357ca3ce790f4beaf51a04c84afbff76875997542019b0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python38.dll
Filesize
4.0MB

MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python38.dll
Filesize
4.0MB

MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dll
Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dll
Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
memory/948-207-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/948-133-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/948-136-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/948-137-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/948-134-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/948-135-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1684-194-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1684-192-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1684-212-0x0000000004290000-0x00000000042DC000-memory.dmp

Filesize
304KB

Download
memory/1684-193-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1684-206-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1684-208-0x0000000003E90000-0x0000000004290000-memory.dmp

Filesize
4.0MB

Download
memory/1684-209-0x0000000004290000-0x00000000042DC000-memory.dmp

Filesize
304KB

Download
memory/1684-210-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1684-191-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download