cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30
Size

449KB
Sample

230814-my3b7abe75
MD5

7eb501e8240ff1a0fa1bcf1c32dac522
SHA1

d5a62d1b30c7c5dd9d8f35d7038eea6bb7fa160c
SHA256

764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30
SHA512

aff845acf5f9c61b9cf28d9c1c56f3907e3ed584a63fea972f9ec946931b13516eba8956293606588b1db22cc4bddba93e4e82b0edd7b0dc75d0f7b08046c173
SSDEEP

12288:dByDA7Uvb5n8phWpbIYL+jbnASKU5OEUcO:dByDA7KJih0L0nAjUsC

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://111.177.3.35:80/api/v2/Sysconfig

http://118.182.249.49:80/api/v2/Sysconfig

http://58.243.203.35:80/api/v2/Sysconfig

http://122.228.115.35:80/api/v2/Sysconfig

http://219.151.25.35:80/api/v2/Sysconfig

http://175.6.53.35:80/api/v2/Sysconfig

http://219.152.185.35:80/api/v2/Sysconfig

Attributes

access_type
512
host
111.177.3.35,/api/v2/Sysconfig,118.182.249.49,/api/v2/Sysconfig,58.243.203.35,/api/v2/Sysconfig,122.228.115.35,/api/v2/Sysconfig,219.151.25.35,/api/v2/Sysconfig,175.6.53.35,/api/v2/Sysconfig,219.152.185.35,/api/v2/Sysconfig
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
35000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCybUBngQWbCUzDYGsNNcmiOKH3SjEhpdMBnS9p6/sg+5sXNN938wG3CHFdLVwe07hcR/tNphXX0cNJ603xQiq8b5WbD+vm/UGnftlCmWrB1dw76eR8LAgiaX75iRIIj7acafXBGmiYzgXnMZAd3RdL9tERhkaHU0C2ssOCLRHUKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/v2/TimezoneUsingPost
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
watermark
100000000

Targets

- Target
  
  764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30
- Size
  
  449KB
- MD5
  
  7eb501e8240ff1a0fa1bcf1c32dac522
- SHA1
  
  d5a62d1b30c7c5dd9d8f35d7038eea6bb7fa160c
- SHA256
  
  764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30
- SHA512
  
  aff845acf5f9c61b9cf28d9c1c56f3907e3ed584a63fea972f9ec946931b13516eba8956293606588b1db22cc4bddba93e4e82b0edd7b0dc75d0f7b08046c173
- SSDEEP
  
  12288:dByDA7Uvb5n8phWpbIYL+jbnASKU5OEUcO:dByDA7KJih0L0nAjUsC
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks