cobaltstrike | 6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7

Sharing

Copy URL

Twitter E-mail

General

Target

6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7
Size

380KB
MD5

2dbb89972bc9b697a46b6852cccfa35b
SHA1

64476be44b2693aeced74ad499257751fe9b961f
SHA256

6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7
SHA512

6cdd0c70d2584f16f672a2a0925f04da82d5dcfb02362f0d60a0dc581d2de9ffef746ce7db597a39749350019fbf62d9c430e8dd4d688a6b2e9f389802d389ad
SSDEEP

6144:aAgVsBSj9evYwdtYxTrXlNs6ivcQKXF2yEQDr0LdaAtUNT:aRP9evYCt4X4bgs8

Score

10^/10

665745135 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

665745135

http://yelp.com:443/gp/aj/private/reviewsGallery/get-application-resources

http://bbc.com:443/api2/json/cluster/resources

http://nytimes.com:443/en-us/p/onerf/MeSilentPassport

http://dictionary.com:443/en-us/p/onerf/MeSilentPassport

Attributes

access_type
512
beacon_type
2048
host
yelp.com,/gp/aj/private/reviewsGallery/get-application-resources,bbc.com,/api2/json/cluster/resources,nytimes.com,/en-us/p/onerf/MeSilentPassport,dictionary.com,/en-us/p/onerf/MeSilentPassport
http_header1
AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAAgAAAAPAAAAAwAAAAIAAAAtZGlzcGxheS1jdWx0dXJlPWVuO2NoZWNrPXRydWU7bGJjcz0wO3Nlc3MtaWQ9AAAAAQAAACA7U0lEQ0M9QU4wLU5SWTRjSkdLOU9sQWU7VG1tdjQ9QwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAA8AAAANAAAAAgAAAARzZXMtAAAABQAAAAJwcQAAAAcAAAABAAAACAAAAA8AAAANAAAAAgAAACl7ImxvY2FsZSI6ImVuIiwiY2hhbm5lbCI6InByb2QiLCJhZGRvbiI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
23040
polling_time
15000
port_number
443
sc_process32
%windir%\syswow64\WerFault -a
sc_process64
%windir%\sysnative\WerFault -a
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKpYKHPTr/o+ua/PTe9MpUMy6X0Y2z5l6FBVcrB9Ldm7LHyNkAYH/+neG1nN0l7A9Wd8e2xeRf+xsnhEAXrQ6wJPBx3GTBygGwcp2+25nd46vIOZBsMsSPNdyR7gj7LVabULJUMAKEfhO8i1ruciX5Uz/LI4FnAlUDYdZ8xdT/VwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.0086976e+09
unknown2
AAAABAAAAAEAAAADAAAAAgAAAFQAAAADAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/1.5/95648064/storage/tabs
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
665745135

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7

Files

6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bbfk
Size: 206KB - Virtual size: 206KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

new_imp
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

File Characteristics

Sections

.text Size: 7KB - Virtual size: 6KB

.data Size: 2KB - Virtual size: 1KB

.rdata Size: 1024B - Virtual size: 720B

.bss Size: - Virtual size: 1KB

.idata Size: 2KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 32B

.bbfk Size: 206KB - Virtual size: 206KB

new_imp Size: 2KB - Virtual size: 4KB

new_imp Size: 7KB - Virtual size: 7KB

new_imp Size: 7KB - Virtual size: 7KB

new_imp Size: 7KB - Virtual size: 7KB

new_imp Size: 10KB - Virtual size: 10KB

new_imp Size: 11KB - Virtual size: 11KB

new_imp Size: 11KB - Virtual size: 11KB

new_imp Size: 16KB - Virtual size: 16KB

new_imp Size: 18KB - Virtual size: 18KB

new_imp Size: 19KB - Virtual size: 19KB

new_imp Size: 22KB - Virtual size: 22KB

new_imp Size: 26KB - Virtual size: 26KB

.text
Size: 7KB - Virtual size: 6KB

.data
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 720B

.bss
Size: - Virtual size: 1KB

.idata
Size: 2KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 32B

.bbfk
Size: 206KB - Virtual size: 206KB

new_imp
Size: 2KB - Virtual size: 4KB

new_imp
Size: 7KB - Virtual size: 7KB

new_imp
Size: 7KB - Virtual size: 7KB

new_imp
Size: 7KB - Virtual size: 7KB

new_imp
Size: 10KB - Virtual size: 10KB

new_imp
Size: 11KB - Virtual size: 11KB

new_imp
Size: 11KB - Virtual size: 11KB

new_imp
Size: 16KB - Virtual size: 16KB

new_imp
Size: 18KB - Virtual size: 18KB

new_imp
Size: 19KB - Virtual size: 19KB

new_imp
Size: 22KB - Virtual size: 22KB

new_imp
Size: 26KB - Virtual size: 26KB