cobaltstrike | e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
Size

950KB
Sample

230721-me8d4aeb89
MD5

07ecd12de259e62383d687d8eac0b089
SHA1

d18d2cda774eb2ebb6ebe2cc82b01ea2e6396070
SHA256

e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
SHA512

3d7b8d6f76687bba889b0b5c6114e07e55e147676697fedf7bcf09e41324d174daaa493236432a69767ca7f1b80638621c4baf618e3bf3ea9626ad6fc4660fcc
SSDEEP

24576:BUNa3MUnPbWsANXdgEm2vEP9WlkQyOUkiZ9zkRP:BXXSnNNPsVWlkQVUkiZ9zkRP

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://werewolves.su:443/poll

Attributes

access_type
512
beacon_type
2048
host
werewolves.su,/poll
http_header1
AAAACgAAABVYLUN1c3RvbS1QU0s6IDEyMzQ1NjcAAAAHAAAAAAAAAA0AAAAIAAAADQAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACQAAAB5hY3Rpb249R2V0RXh0ZW5zaWJpbGl0eUNvbnRleHQAAAAKAAAALUNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbjsgY2hhcnNldD11dGYtOAAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAVWC1DdXN0b20tUFNLOiAxMjM0NTY3AAAABwAAAAAAAAAFAAAABXRva2VuAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAZeyJ2ZXJzaW9uIjoiMiIsInJlcG9ydCI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoF8VZjxm15ziTwzdE+jW+r54e9S60MKgSH1OnPssSGh0CIiVo7hbwzHllXOcl8eWvZAn87FQZoz48ftehl+MGybvk8Zpi6riqha7Mp4kHj+dELTMYxrt+YeDLb2TQEr7Z7E8pK+ldsWvyBiSuV4bK0xhEJ17M1hjbrrjjNJ574QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.102727936e+09
unknown2
AAAABAAAAAEAAAACAAAAAgAAACMAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/upload
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)
watermark
0

Targets

- Target
  
  e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
- Size
  
  950KB
- MD5
  
  07ecd12de259e62383d687d8eac0b089
- SHA1
  
  d18d2cda774eb2ebb6ebe2cc82b01ea2e6396070
- SHA256
  
  e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
- SHA512
  
  3d7b8d6f76687bba889b0b5c6114e07e55e147676697fedf7bcf09e41324d174daaa493236432a69767ca7f1b80638621c4baf618e3bf3ea9626ad6fc4660fcc
- SSDEEP
  
  24576:BUNa3MUnPbWsANXdgEm2vEP9WlkQyOUkiZ9zkRP:BXXSnNNPsVWlkQVUkiZ9zkRP
Score

10^/10

cobaltstrike 0 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike0backdoortrojan