cobaltstrike | 94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a

Analysis

max time kernel
132s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe
Size

5.1MB
MD5

eca7f2c9c0d447fcbd42f9ec83ff9183
SHA1

838cc6b6e059bec58326e68107c4a92e4d0f99d5
SHA256

94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a
SHA512

5e68dc1803b80b9819c6c0afd56c13d902ca195c252d85a9435f89cf74cb96372c2efce476f1da74fa23ce7bb21060f747c509935ee2b79eddda138bf3c9b874
SSDEEP

49152:wWdHZSw33+S7B/cua9fd8UgbOhJ+PfyBOCHz8AuVTFPjbr3jHWKpQqNLcPW4g88Z:TSsBk8chJ+n7e8DxXHnBNL

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://192.168.0.138:4444/updates.rss

Attributes

access_type
512
beacon_type
2048
host
192.168.0.138,/updates.rss
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
4444
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLj5KNmV3cj5ddu30Qa8G9Lwiij+CVKCUbQenL/tlaK293vDNQV8NdYoMaDG2oRwtmLEKfMAFUMEJ2A6MXhGQQMIjmRXo4qAhwQNeu2O5ypI3DiaVlE0y3iidm7SfI4UkZk8rt82RzD+NeCumqNwi82P4lfAXJosazh7+Z/ON8rQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; LBBROWSER)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

polling_time
60000
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLj5KNmV3cj5ddu30Qa8G9Lwiij+CVKCUbQenL/tlaK293vDNQV8NdYoMaDG2oRwtmLEKfMAFUMEJ2A6MXhGQQMIjmRXo4qAhwQNeu2O5ypI3DiaVlE0y3iidm7SfI4UkZk8rt82RzD+NeCumqNwi82P4lfAXJosazh7+Z/ON8rQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1692	936	94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe	29
PID 936 wrote to memory of 1692	936	94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe	29
PID 936 wrote to memory of 1692	936	94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe	29

C:\Users\Admin\AppData\Local\Temp\94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe
"C:\Users\Admin\AppData\Local\Temp\94d55c902d4267ba9578445085d74256374f43d68be872999a3d4b8cc02aad5a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-55-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/936-56-0x00000000288B0000-0x00000000288F1000-memory.dmp

Filesize
260KB

Download
memory/936-57-0x0000000028900000-0x000000002894F000-memory.dmp

Filesize
316KB

Download
memory/936-58-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/936-59-0x0000000028900000-0x000000002894F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads