cobaltstrike | f6a7e70069843e11eceb06353a37aa2ca4fff8651320a560d6cdd259e456212b

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sangfor_mange.exe
Size

5.9MB
MD5

4a74fe432b5c9b9d8cca50cc32356e47
SHA1

5bfe83624e7dcbdabdc2db6cc10daf852903bef2
SHA256

f6a7e70069843e11eceb06353a37aa2ca4fff8651320a560d6cdd259e456212b
SHA512

2389ee510e3a2a9650158de8064f910b25009c169f6b78b0295297206cbd756941726884fcb854a92a2dd5dc8137d919fe8ebd3f400bf5f8125bbe9824fd5d25
SSDEEP

98304:lguoR5opzoLLJ3TbwaVvrZE0Idx6miAAHdNq+Z84EOSgyN2iA7VDqjqs:lg/R5o9onJ5hrZER7iLHdNpEOJu

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://49.235.67.125:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

100000000

http://49.235.67.125:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
49.235.67.125,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEP4ocuxhbqO60VTCuWo7mV51+casimq0U06vH8xx3DwwPK43TxbT99wmKUMS2DKxk3Me5VelBpWe2PDZcGdTf5DvK6kCONaodRH/myAZv3V7+5ORUwv1W/GYWoiP2sWXL/6vmRq/B002YIVTAAPgOS2cneR5LHBspHiGWcQO36QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

pid	Process
4456	sangfor_mange.exe
4456	sangfor_mange.exe
4456	sangfor_mange.exe
4456	sangfor_mange.exe
4456	sangfor_mange.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4456	4444	sangfor_mange.exe	84
PID 4444 wrote to memory of 4456	4444	sangfor_mange.exe	84

C:\Users\Admin\AppData\Local\Temp\sangfor_mange.exe
"C:\Users\Admin\AppData\Local\Temp\sangfor_mange.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\sangfor_mange.exe
  "C:\Users\Admin\AppData\Local\Temp\sangfor_mange.exe"
  2⤵
  - Loads dropped DLL
  PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI44442\VCRUNTIME140.dll

Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\VCRUNTIME140.dll

Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\_ctypes.pyd

Filesize
123KB

MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\_ctypes.pyd

Filesize
123KB

MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\base_library.zip

Filesize
1005KB

MD5
5e3605540c4c53b38fb59db396559c95

SHA1
7c60cb2375c9b2aa64bf92e354cb5284344590a9

SHA256
7c32c9a51685d73feb809b2ec184dfb765b23f2ad596235fe1e1d337c171d50e

SHA512
e66e989121d8ce644a010b8b428be93651baecbb1509e8fb4e8f5279721a33f806d19d289dba6532a7c29c8ade903cc2dfb2bba836bc4c93317a026ab6f121e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\python38.dll

Filesize
4.0MB

MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\python38.dll

Filesize
4.0MB

MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44442\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
memory/4456-197-0x000001EBBB060000-0x000001EBBB061000-memory.dmp

Filesize
4KB

Download
memory/4456-198-0x000001EBBB730000-0x000001EBBBBA2000-memory.dmp

Filesize
4.4MB

Download
memory/4456-199-0x000001EBBB330000-0x000001EBBB494000-memory.dmp

Filesize
1.4MB

Download
memory/4456-200-0x000001EBBB330000-0x000001EBBB494000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads