cobaltstrike | 10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b | Triage

Submit
Reports

Overview

overview

Static

static

3

10eb36291e...1b.dll

windows7-x64

10eb36291e...1b.dll

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b
Size

536KB
Sample

230818-ja6g6ahe9x
MD5

182148d3c689c6351505df1a1efb11ba
SHA1

222c41065ce2b101716b65dbe7c1a48a27a0e30c
SHA256

10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b
SHA512

6b733266338fdfbe9247fda4d2b3da00a82cadc5539b0c3a286d3e372f89bbde5b191d5dd069ade651290ab85ebc658efcf84db7b6be97de88ecb90fb34b49a7
SSDEEP

12288:oJpO5pNgTG4w0jhGGr7O6j0AR1zcnSyY3YBoNjjKMdoqZ5hcrGoAXBDp5oe6lB:oTOtEgKox6oAXBl5v6l

Score

10^/10

cobaltstrike 0 391144938 backdoor trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b.dll

Resource

win7-20230712-en

cobaltstrike 0 391144938 backdoor trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b.dll

Resource

win10v2004-20230703-en

cobaltstrike backdoor trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://www.microsoftdnsserver.xyz:8443/async/newtab_promos

Attributes

access_type
512
beacon_type
2048
host
www.microsoftdnsserver.xyz,/async/newtab_promos
http_header1
AAAAEAAAACBIb3N0OiB3d3cubWljcm9zb2Z0ZG5zc2VydmVyLnh5egAAAAoAAAAUU2VjLUZldGNoLVNpdGU6IG5vbmUAAAAKAAAAF1NlYy1GZXRjaC1Nb2RlOiBuby1jb3JzAAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAMAAAACAAAABE5JRD0AAAACAAAADTFQX0pBUj0yMDIyOyAAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACBIb3N0OiB3d3cubWljcm9zb2Z0ZG5zc2VydmVyLnh5egAAAAoAAABLU2VjLUNoLVVhOiAiIE5vdDtBIEJyYW5kIjt2PSI5OSIsICJHb29nbGUgQ2hyb21lIjt2PSI5NyIsICJDaHJvbWl1bSI7dj0iOTciAAAACgAAABRTZWMtQ2gtVWEtTW9iaWxlOiA/MAAAAAoAAAAbU2VjLUNoLVVhLVBsYXRmcm9tOiBXaW5kb3dzAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5nb29nbGUuY29tAAAACgAAABtTZWMtRmV0Y2gtU2l0ZTogc2FtZS1vcmlnaW4AAAAKAAAAF1NlYy1GZXRjaC1Nb2RlOiBuby1jb3JzAAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAH1JlZmVyZXI6IGh0dHBzOi8vd3d3Lmdvb2dsZS5jb20AAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAHAAAAAQAAAA0AAAAGAAAADVgtQ2xpZW50LURhdGEAAAAHAAAAAAAAAA0AAAAFAAAAAmVpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
6912
polling_time
32500
port_number
8443
sc_process32
%windir%\syswow64\Werfault.exe
sc_process64
%windir%\sysnative\Werfault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEZbzcff9JbW4j2x/g8sxgLnunWbGHmo3zR9JkMt0jK+fjwjaNT/mOzuzkVf/b9ewCmrfrKpQ7VriS/9HHUjqL/v5CIgjJ9PqutAmfSq/EZEeWHGnfn5N+Pn0VFOphJom0jX5slvpnPmCF/tRFs0xgSDKQJPQbH+5JLh4koNstzQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.270500096e+09
unknown2
AAAABAAAAAEAAAARAAAAAgAAACAAAAANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/service/update2/json
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
watermark
391144938

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b
- Size
  
  536KB
- MD5
  
  182148d3c689c6351505df1a1efb11ba
- SHA1
  
  222c41065ce2b101716b65dbe7c1a48a27a0e30c
- SHA256
  
  10eb36291ef8c51d89a477e7bc683c707f7da550d2bd44f8104389a5d196341b
- SHA512
  
  6b733266338fdfbe9247fda4d2b3da00a82cadc5539b0c3a286d3e372f89bbde5b191d5dd069ade651290ab85ebc658efcf84db7b6be97de88ecb90fb34b49a7
- SSDEEP
  
  12288:oJpO5pNgTG4w0jhGGr7O6j0AR1zcnSyY3YBoNjjKMdoqZ5hcrGoAXBDp5oe6lB:oTOtEgKox6oAXBl5v6l
Score

10^/10

cobaltstrike 0 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Describes win.cobalt_strike.
  malpedia CS.
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike0391144938backdoortrojan

behavioral2

cobaltstrikebackdoortrojan

© 2018-2025

Terms | Privacy