cobaltstrike | 70bf4204a704988bfe6564ee4a0e1523864037c0ae1f74f37f8b238a30f49dfa | Triage

Sharing

Copy URL Twitter E-mail

General

Target

70bf4204a704988bfe6564ee4a0e1523864037c0ae1f74f37f8b238a30f49dfa
Size

946KB
MD5

88d5a1f3de4cc410c52d294d862bd30d
SHA1

89a298e8c170e42aaa88b9e36fba7f8ff3230dbc
SHA256

70bf4204a704988bfe6564ee4a0e1523864037c0ae1f74f37f8b238a30f49dfa
SHA512

7354bcf09f65f6681689c6afd02ba65f824dca1f3fe6fde2610afa72796fdbbddb426708ab7f0b6e908564e8b11811e3f1625c445cf78a3fcfcb6da924d0acef
SSDEEP

12288:lqwJzxGsOFdVFU+eEtt24m12QVlrStSdLpY+L7ObLwJ/rr:0wJVOFZU+eEtg128ln1pvi0

Score

10^/10

cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

C2

http://45.77.247.144:8088/jBHi

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
70bf4204a704988bfe6564ee4a0e1523864037c0ae1f74f37f8b238a30f49dfa

Files

70bf4204a704988bfe6564ee4a0e1523864037c0ae1f74f37f8b238a30f49dfa
.exe windows x86

0d6b2433b9af4c1382ad94472120d6be

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeBeginPeriod

ws2_32

WSAGetOverlappedResult

ntdll

NtWaitForSingleObject

advapi32

CryptReleaseContext
CryptGenRandom
CryptAcquireContextW

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetThreadPriority
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
LoadLibraryA
LoadLibraryW
GetThreadContext
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerA
CreateThread
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 933KB - Virtual size: 933KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ