cobaltstrike | a0c30e540a658e02f5179f5dfcdb344ed18c67d83e9a57b39062c42bc5aa155a

General

Target

main.exe
Size

2.9MB
MD5

269fd44cccfdde45ae1b5c1a544bfbfc
SHA1

0c72f5e685664a8fe29187bad90a32f725883b8d
SHA256

a0c30e540a658e02f5179f5dfcdb344ed18c67d83e9a57b39062c42bc5aa155a
SHA512

4e7a4043d51f6e6b77311f9cb20db24416f58f96897b258525743b0313e0936f021b952eb75a1b6896f0b4887e5648e0db1ad60aa72b9c71384af6a056f1eb51
SSDEEP

49152:01LPC/cm3rb/TkvO90d7HjmAFd4A64nsfJTl1a3HYxw5GF0dCH5EyYugaMEygP0/:Xcmf43PGjEgc

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://45.130.145.209:17389/nsmail/skins/login/default/CSS/images

Attributes

access_type
512
host
45.130.145.209,/nsmail/skins/login/default/CSS/images
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAAAAAAADwAAAA0AAAAFAAAABmZvcm1pZAAAAAcAAAABAAAADwAAAA0AAAAFAAAABWFsZXJ0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
23040
polling_time
4000
port_number
17389
sc_process32
%windir%\syswow64\notepad.exe
sc_process64
%windir%\sysnative\notepad.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTXfwcPVQMe0F3ErtioTQ4xl3AVXezqiyZOysCzoVevJVQ7BWakzzapcXBn6t25i6FuXOUUuNffJ+kV6Dm9xi31hQlgU6lst7du7rAZ3pMnU4qBxq2fPPSNsSro/CZ1TRF9OwMKOSucEgGQbSValaIzy2Kqlsd636wGwC41sg60wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.47106304e+09
unknown2
AAAABAAAAAEAAAAIAAAAAgAAAAoAAAAPAAAAAQAAALMAAAACAAAAZwAAAA0AAAAIAAAADQAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/nsmail/
user_agent
Mozilla/5.0 cb
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	taskmgr.exe
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe
2980	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3060	2316	main.exe	29
PID 2316 wrote to memory of 3060	2316	main.exe	29
PID 2316 wrote to memory of 3060	2316	main.exe	29

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:3060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x160
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-54-0x0000000028510000-0x0000000028590000-memory.dmp

Filesize
512KB

Download
memory/2316-56-0x0000000029F50000-0x000000002A3C2000-memory.dmp

Filesize
4.4MB

Download
memory/2316-57-0x0000000028510000-0x0000000028590000-memory.dmp

Filesize
512KB

Download
memory/2316-58-0x0000000029B50000-0x0000000029EDF000-memory.dmp

Filesize
3.6MB

Download
memory/2316-59-0x0000000029B50000-0x0000000029EDF000-memory.dmp

Filesize
3.6MB

Download
memory/2980-55-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing