cobaltstrike | 3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f

General

Target

190443cbf65c0898f914fc760934caea.exe
Size

517KB
MD5

190443cbf65c0898f914fc760934caea
SHA1

2038226438b0d02d675bde2253866329c69af1e6
SHA256

3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f
SHA512

03bc60cb328d59d40dcd6270f058ebdbd3d1fbed0e86f28cd357179c95c7f89fdb9bf35cc1020b834c6eaeeb631500814a90169d02c6f2334db3d0451b8b3544
SSDEEP

6144:EdmZWccb2kii5Z44P/fBlqjQJWYgARXIQ6BDDm5nYh6i74H:qmYHfia44PvqIdPXJ6BfInxi7i

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://208.70.76.100:3443/sJUK

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://208.70.76.100:3443/cx

Attributes

access_type
512
beacon_type
2048
host
208.70.76.100,/cx
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
3443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJDSs318FAZ2e8d95toadIBJrb+Ly91RAoANFy4ietcRWyyKMBmgp/MbMk2D59Pcp7kb2aL1oOkwVCodoIGcszvToWK0YwuNknqiH9MxQbhalfck7SpglxHKTg2gNB0HGdzaMLl00qHyzeutQ9G3Yqk/7ySHKCaOsh7jdRv2fdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

HXhr.exe

pid process

3948 HXhr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3948	HXhr.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

190443cbf65c0898f914fc760934caea.exeexplorer.exe

description	pid	process	target process
PID 3640 wrote to memory of 5084	3640	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 3640 wrote to memory of 5084	3640	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 3640 wrote to memory of 5084	3640	190443cbf65c0898f914fc760934caea.exe	werfault.exe
PID 3640 wrote to memory of 4524	3640	190443cbf65c0898f914fc760934caea.exe	explorer.exe
PID 3640 wrote to memory of 4524	3640	190443cbf65c0898f914fc760934caea.exe	explorer.exe
PID 5096 wrote to memory of 3948	5096	explorer.exe	HXhr.exe
PID 5096 wrote to memory of 3948	5096	explorer.exe	HXhr.exe
PID 5096 wrote to memory of 3948	5096	explorer.exe	HXhr.exe

C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe
"C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\werfault.exe
"C:\Windows\system32\werfault.exe"
2⤵
PID:5084

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\temp\HXhr.exe
2⤵
PID:4524

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\Temp\HXhr.exe
"C:\Windows\Temp\HXhr.exe"
2⤵
- Executes dropped EXE
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\HXhr.exe
Filesize
478KB

MD5
2f2fde496d0ddae2f1db630fabee52ae

SHA1
f62ea05c48fde8b639504439e9b82d6c785ef83b

SHA256
dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337

SHA512
6b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d

Download Submit
C:\Windows\Temp\HXhr.exe
Filesize
478KB

MD5
2f2fde496d0ddae2f1db630fabee52ae

SHA1
f62ea05c48fde8b639504439e9b82d6c785ef83b

SHA256
dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337

SHA512
6b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d

Download Submit
memory/3640-0-0x00007FFA9EDB0000-0x00007FFA9EFA5000-memory.dmp

Filesize
2.0MB

Download
memory/3948-11-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/3948-13-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3948-19-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3948-10-0x0000000000EC0000-0x0000000000F3E000-memory.dmp

Filesize
504KB

Download
memory/3948-9-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3948-18-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3948-12-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/3948-17-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3948-14-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/3948-15-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/5084-16-0x000001710C850000-0x000001710C89F000-memory.dmp

Filesize
316KB

Download
memory/5084-6-0x000001710C850000-0x000001710C89F000-memory.dmp

Filesize
316KB

Download
memory/5084-1-0x000001710C4C0000-0x000001710C4C1000-memory.dmp

Filesize
4KB

Download
memory/5084-5-0x000001710E6D0000-0x000001710EAD0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads