cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

Daisy.rar
Size

69.9MB
Sample

230723-mhcrlaed8y
MD5

5428032e105659f7bc89c5aa637145c8
SHA1

b882fda8ec20b1b3d0c2cc13cbce33a3f1072400
SHA256

ebbe43c09b9b33476cac458bf447ea3b815f76580f094979d1ab5f3b69120f9b
SHA512

769f0c238b8015fee15fb628999efb68d10f0a10b135acfb7d9d8e51df08ffff2dd658186205573abd7e1e17ae7b21696db2d91730166cc41839b0e34c0683e3
SSDEEP

1572864:mnaprkyUiJPqhWyJs9L947TmRs0ikQoLcJxHg/LvEwfMcGhHu3+:mnagYyJsV947SZQoLcJxyJfhyOu

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://101.43.2.116:80/login.js

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

http://101.43.2.116:80/admin/login

Attributes

access_type
512
host
101.43.2.116,/admin/login
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
5000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/admin/user
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Targets

- Target
  
  Daisy.rar
- Size
  
  69.9MB
- MD5
  
  5428032e105659f7bc89c5aa637145c8
- SHA1
  
  b882fda8ec20b1b3d0c2cc13cbce33a3f1072400
- SHA256
  
  ebbe43c09b9b33476cac458bf447ea3b815f76580f094979d1ab5f3b69120f9b
- SHA512
  
  769f0c238b8015fee15fb628999efb68d10f0a10b135acfb7d9d8e51df08ffff2dd658186205573abd7e1e17ae7b21696db2d91730166cc41839b0e34c0683e3
- SSDEEP
  
  1572864:mnaprkyUiJPqhWyJs9L947TmRs0ikQoLcJxHg/LvEwfMcGhHu3+:mnagYyJsV947SZQoLcJxyJfhyOu
Score

3^/10
behavioral1 behavioral2
- Target
  
  Daisy/7B639216.exe
- Size
  
  11.3MB
- MD5
  
  0524573ad4bbd1bed2204c312bd2277e
- SHA1
  
  9e05dbba1d53b806b3b626a643a9f874f6806b8b
- SHA256
  
  e4805a5d8f387e4f1663dc5b86f146c2f86417479bf7836008c22fe32d189621
- SHA512
  
  a094b3c4777cc4272ad81082f6c484fd5045d273f2b30a97d1d007e3fdab42955650009c0c20b89c49740fca91de423321308065e9a8e59f9dbecd87510e551c
- SSDEEP
  
  98304:YD5Ta9Ea18OYywznMOzTV+hF7ZEbbOPK4uvOolNrcZcXthCWcA2E3E4rbT:YNTa9Y/YyQK4IOeNrcZc9Q02E3E4j
Score

10^/10

cobaltstrike metasploit 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
behavioral3 behavioral4
- Target
  
  Daisy/8488E511.exe
- Size
  
  5.1MB
- MD5
  
  237baa50bb0d6845496c4f51fa824150
- SHA1
  
  7685a21e56f7542345819c5e2d865f5419560a6f
- SHA256
  
  21dcbec094926316be6304c8058c60a44113d2f86884a4ad9e78ade95ea96fb5
- SHA512
  
  fb5bc97f1d23dfc5b1f9394baca7c4dd43955d9e8fcd81d81d563c9ed8912e8590898a8c35548be15be6925e66cfe43943415ae4a4fb1336d2a51b776074f29c
- SSDEEP
  
  49152:f3WIqwlJNvAOgK7vl1k3g8D1hSWaNuJxgwqtTI6fk:f3/bVTk3VJxg+6s
Score

1^/10
behavioral5 behavioral6
- Target
  
  Daisy/A2D0A16E.exe
- Size
  
  64.7MB
- MD5
  
  7236b689ea82683169c029b319424224
- SHA1
  
  12b71431501fda3dcf0544d80f620cb38825c6a8
- SHA256
  
  f61738813a52548f37cd398e23d60a41edbf384b8784a2ecd32cd6cb29412e59
- SHA512
  
  3b130dba4aa2e541d63176f843954c7709ce498f0673e16d218b3722aa57317a4806dc31c5884199675f1db6446c2b3ce76f1c706cbe2a12f5362e118731d8c5
- SSDEEP
  
  1572864:ByXoONw5ldIVvKJaQJTI5HEWnj2DWB4v5fQSlWBKGY7:sXk5rI4Ji7nj2DYI5YqGY7
Score

7^/10

spyware stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MetaSploit

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8