cobaltstrike | f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
Size

9KB
MD5

92fe208986491f8510883bbff5391bc3
SHA1

386fc5e8af6fd706876320a933149467303ca8e2
SHA256

f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa
SHA512

cbd7f47f81576d231011c0b62e5cce32e83dd95154fd30530e9d44211f6a4dc34cff0ccfbfb59026653f72bb90fcf56fc7c731179241a63a9990d930afca0424
SSDEEP

48:q0r+l6O5aXyn/hNhx4/jC/VyR9x3P7cvAw5av9w/nuPLLCKRb0E:dX0Y7x34r5av2nELLP

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://43.138.188.41:5556/ZLBu

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

305419896

http://43.138.188.41:5556/cm

Attributes

access_type
512
host
43.138.188.41,/cm
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
5556
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

1 636 rundll32.exe
9 636 rundll32.exe
38 636 rundll32.exe
44 636 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1748 set thread context of 636 1748 rundll32.exe rundll32.exe

flow	pid	process
1	636	rundll32.exe
9	636	rundll32.exe
38	636	rundll32.exe
44	636	rundll32.exe

description	pid	process	target process
PID 1748 set thread context of 636	1748	rundll32.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1748 wrote to memory of 636	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 636	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 636	1748	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\rundll32.exe
rundll32.exe
2⤵
- Blocklisted process makes network request
PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-133-0x0000015519800000-0x0000015519801000-memory.dmp

Filesize
4KB

Download
memory/636-134-0x000001551B640000-0x000001551BA40000-memory.dmp

Filesize
4.0MB

Download
memory/636-135-0x000001551BA40000-0x000001551BA8C000-memory.dmp

Filesize
304KB

Download
memory/636-136-0x000001551BA40000-0x000001551BA8C000-memory.dmp

Filesize
304KB

Download