cobaltstrike | 3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f

General

Target

190443cbf65c0898f914fc760934caea.exe
Size

517KB
MD5

190443cbf65c0898f914fc760934caea
SHA1

2038226438b0d02d675bde2253866329c69af1e6
SHA256

3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f
SHA512

03bc60cb328d59d40dcd6270f058ebdbd3d1fbed0e86f28cd357179c95c7f89fdb9bf35cc1020b834c6eaeeb631500814a90169d02c6f2334db3d0451b8b3544
SSDEEP

6144:EdmZWccb2kii5Z44P/fBlqjQJWYgARXIQ6BDDm5nYh6i74H:qmYHfia44PvqIdPXJ6BfInxi7i

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://208.70.76.100:3443/sJUK

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://208.70.76.100:3443/cx

Attributes

access_type
512
beacon_type
2048
host
208.70.76.100,/cx
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
3443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJDSs318FAZ2e8d95toadIBJrb+Ly91RAoANFy4ietcRWyyKMBmgp/MbMk2D59Pcp7kb2aL1oOkwVCodoIGcszvToWK0YwuNknqiH9MxQbhalfck7SpglxHKTg2gNB0HGdzaMLl00qHyzeutQ9G3Yqk/7ySHKCaOsh7jdRv2fdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

HXhr.exe

pid process

1608 HXhr.exe

pid	process
1608	HXhr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

190443cbf65c0898f914fc760934caea.exeexplorer.exe

description	pid	process	target process
PID 2660 wrote to memory of 1992	2660	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 2660 wrote to memory of 1992	2660	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 2660 wrote to memory of 1992	2660	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 2660 wrote to memory of 1992	2660	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 2660 wrote to memory of 2256	2660	190443cbf65c0898f914fc760934caea.exe	explorer.exe
PID 2660 wrote to memory of 2256	2660	190443cbf65c0898f914fc760934caea.exe	explorer.exe
PID 2660 wrote to memory of 2256	2660	190443cbf65c0898f914fc760934caea.exe	explorer.exe
PID 1752 wrote to memory of 1608	1752	explorer.exe	HXhr.exe
PID 1752 wrote to memory of 1608	1752	explorer.exe	HXhr.exe
PID 1752 wrote to memory of 1608	1752	explorer.exe	HXhr.exe
PID 1752 wrote to memory of 1608	1752	explorer.exe	HXhr.exe

C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe
"C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\werfault.exe
"C:\Windows\system32\werfault.exe"
2⤵
PID:1992

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\temp\HXhr.exe
2⤵
PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Temp\HXhr.exe
"C:\Windows\Temp\HXhr.exe"
2⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB54.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Temp\HXhr.exe
Filesize
478KB

MD5
2f2fde496d0ddae2f1db630fabee52ae

SHA1
f62ea05c48fde8b639504439e9b82d6c785ef83b

SHA256
dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337

SHA512
6b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d

Download Submit
C:\Windows\Temp\HXhr.exe
Filesize
478KB

MD5
2f2fde496d0ddae2f1db630fabee52ae

SHA1
f62ea05c48fde8b639504439e9b82d6c785ef83b

SHA256
dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337

SHA512
6b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d

Download Submit
memory/1608-29-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1608-52-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-9-0x0000000000980000-0x00000000009FE000-memory.dmp

Filesize
504KB

Download
memory/1608-10-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-18-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1608-54-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1608-53-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1992-31-0x0000000002280000-0x00000000022CF000-memory.dmp

Filesize
316KB

Download
memory/1992-4-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1992-30-0x0000000003040000-0x0000000003440000-memory.dmp

Filesize
4.0MB

Download
memory/1992-55-0x0000000002280000-0x00000000022CF000-memory.dmp

Filesize
316KB

Download
memory/2660-1-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2660-6-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads