cobaltstrike | 7b04e268716678d10ea24a9c07db8bf6ecd4b783973e82a93a79023df8c5a896

General

Target

extractor.exe
Size

6.5MB
MD5

ee71f97e010dfecb95f217d78b5f5aee
SHA1

820465e46c7873dcc611b7ad7e566fbf012dc11c
SHA256

7b04e268716678d10ea24a9c07db8bf6ecd4b783973e82a93a79023df8c5a896
SHA512

421bbdf1e0c80fa0209722e728cdeccd2fe561e802d0707442f5ccfa807e5631dd9dfdf894b3e0ba278d8f20ebf98f63b76868576cf1bf874f90a57647c27ebd
SSDEEP

98304:63Oapl8G3EQ7zUngGqwhxrrqAYhyHcgUzhSTaZ:6OaPH0I4gGqqxPqA18nFii

Score

10^/10

cobaltstrike 0 1580103824 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

C2

http://60.204.200.204:9443/dpixel

Attributes

access_type
512
beacon_type
2048
host
60.204.200.204,/dpixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
9443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF3ioD+Lx+feILZ4VL0Xd31xn9MiLNXKh9Iwd5UuMP81ZehCl/YeFo+Z602r3t0JCWevAng65vhHXn7DNy5B9ZciT4AX8IDaOFmbrp2c9AQXy7pKhwGF3upwgG7DxIR/8sSt/6HvT016+bS2uFULumluXAnlYK148PrimovS6mBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)
watermark
1580103824

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2920	dYZhlhzNshellcode_loader.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	cmd.exe
2476	cmd.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2476	532	extractor.exe	28
PID 532 wrote to memory of 2476	532	extractor.exe	28
PID 532 wrote to memory of 2476	532	extractor.exe	28
PID 2476 wrote to memory of 2920	2476	cmd.exe	30
PID 2476 wrote to memory of 2920	2476	cmd.exe	30
PID 2476 wrote to memory of 2920	2476	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\extractor.exe
"C:\Users\Admin\AppData\Local\Temp\extractor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\system32\cmd.exe
  cmd.exe /c dYZhlhzNshellcode_loader.exe uAAwhiHYshika_beacon.bin
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\dYZhlhzNshellcode_loader.exe
    dYZhlhzNshellcode_loader.exe uAAwhiHYshika_beacon.bin
    3⤵
    - Executes dropped EXE
    PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFCA9.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF04D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYZhlhzNshellcode_loader.exe

Filesize
2.0MB

MD5
d6e105d8cf369607bcce8dcc3cae842c

SHA1
cae4226bfe83fa8ba12bc7c195be6fe9a6c0765e

SHA256
a6a9f467a6052b557d3f1894c03cb99ea0a39127b6c01d3ded558a413d506fb6

SHA512
0842e7e234c3cf654ad0e56e8c46e36354e59133e335fe70f0484b9a272fddeca83fc29a8ff67598e24c09ba495fa4f32a23a32e141d7e7f2949fee48fd045d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYZhlhzNshellcode_loader.exe

Filesize
2.0MB

MD5
d6e105d8cf369607bcce8dcc3cae842c

SHA1
cae4226bfe83fa8ba12bc7c195be6fe9a6c0765e

SHA256
a6a9f467a6052b557d3f1894c03cb99ea0a39127b6c01d3ded558a413d506fb6

SHA512
0842e7e234c3cf654ad0e56e8c46e36354e59133e335fe70f0484b9a272fddeca83fc29a8ff67598e24c09ba495fa4f32a23a32e141d7e7f2949fee48fd045d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAAwhiHYshika_beacon.bin

Filesize
257KB

MD5
7cbaf85a12ca5ca4b511cbed1aa75324

SHA1
dabf89463e2c452b7570e0f86b47c66e0388cb00

SHA256
401c1354fbdc50a7038595fd7da41e9bb0d1522d1724f86cd05f82b99d691ad3

SHA512
23802f63aeccdf1a8519f442f6fda59b8bef9b01b089c1b39142c2ac12127ee575d88d503306cef557ab2486d267739cac3af42ced10cc83d5cec87dca0f937f

Download Submit
\Users\Admin\AppData\Local\Temp\dYZhlhzNshellcode_loader.exe

Filesize
2.0MB

MD5
d6e105d8cf369607bcce8dcc3cae842c

SHA1
cae4226bfe83fa8ba12bc7c195be6fe9a6c0765e

SHA256
a6a9f467a6052b557d3f1894c03cb99ea0a39127b6c01d3ded558a413d506fb6

SHA512
0842e7e234c3cf654ad0e56e8c46e36354e59133e335fe70f0484b9a272fddeca83fc29a8ff67598e24c09ba495fa4f32a23a32e141d7e7f2949fee48fd045d9

Download Submit
\Users\Admin\AppData\Local\Temp\dYZhlhzNshellcode_loader.exe

Filesize
2.0MB

MD5
d6e105d8cf369607bcce8dcc3cae842c

SHA1
cae4226bfe83fa8ba12bc7c195be6fe9a6c0765e

SHA256
a6a9f467a6052b557d3f1894c03cb99ea0a39127b6c01d3ded558a413d506fb6

SHA512
0842e7e234c3cf654ad0e56e8c46e36354e59133e335fe70f0484b9a272fddeca83fc29a8ff67598e24c09ba495fa4f32a23a32e141d7e7f2949fee48fd045d9

Download Submit
memory/2920-61-0x0000000028590000-0x00000000285D1000-memory.dmp

Filesize
260KB

Download
memory/2920-62-0x00000000286A0000-0x00000000286EE000-memory.dmp

Filesize
312KB

Download
memory/2920-79-0x00000000286A0000-0x00000000286EE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads