cobaltstrike

General

Target

c1706a.zip
Size

4.0MB
Sample

230713-qxqhsagh66
MD5

ae297f8e3850e52a150171aba3838b15
SHA1

1acad01a18699a088b517013673a85b7ea9f484c
SHA256

951b16126fd1535144451e2ce1ce64f60b4561d26ff46b9cc02e8c45b588d50b
SHA512

efb549bd05956a7a94ae6bdac5f911086ff627e283522a60ed715ccecd974217dda2897fcb6bcc9acc6a67fc431eeb8b307faea8bbdb3141e0832ac88895df8c
SSDEEP

98304:4BQZF1zyT7EFeUWqhEluMS4CLIXw6xMAg+/u/FQOJcOeUa:4ef12UEUWJuMS4CLIw1TXcbJ

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://service-mtrar14d-1316554402.sh.apigw.tencentcs.com:80/login.js

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://service-mtrar14d-1316554402.sh.apigw.tencentcs.com:80/admin/login

Attributes

access_type
512
host
service-mtrar14d-1316554402.sh.apigw.tencentcs.com,/admin/login
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
5000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIf+L6CRq3zedgU1uZz4WOlB5l3w5EVVWHZ6p1yS6ZMJbWzyRDP004C9SyOdlHOEanHAbFHM4En1P/hLVjfGgf0CcN3Us546Z6dXynqT3lqxDm+X0Svfu1fb1Dj2UqQofIOV61p5nbh9HTzbsyOq0f6BeQWZkdQjYV+pbtOecc3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/admin/user
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Targets

- Target
  
  c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714
- Size
  
  10.1MB
- MD5
  
  350d037d53042430fc27afd5167606f6
- SHA1
  
  46ccecd5fc0a86b8b9f2a09cd4109303db77c804
- SHA256
  
  c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714
- SHA512
  
  5156976355d8357d250500eca1afa15f53520f1b954105772dbcb8b94baad007be5f2930cbbeeedc8359c1c67f02cfd6199317453b817c3aec57242f1a477d2e
- SSDEEP
  
  98304:hQB5yCVQ8FzUxC8MkCCywTN+TKmlyM1ifMYXEwh:h25yOzL8MkCCvTN9MgfMYXb
Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MetaSploit

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2