cobaltstrike | dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127

General

Target

dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe
Size

1.1MB
MD5

8d8fe0914ac639be97c5d75898313a36
SHA1

207c7ccfc53dbcec01d70a412118752331fcecac
SHA256

dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127
SHA512

f02ec82c8e3cd9c5965c0ff1f1dc6f7796834ea16a76b342a6de104506c6d2d400aa99162d01194d374796bdaf666a17cdf8eee0865d6cafd742abe74e604edb
SSDEEP

24576:+GHCm8uPdJhdZDWTBaAOXmjZ3Jn9opwfUZQr304Dh3A9g1rCPZV4E:DuWPHACGJnepwMZQrk4DskCRV/

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://206.237.17.176:8443/pixel.gif

Attributes

access_type
512
beacon_type
2048
host
206.237.17.176,/pixel.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvjuYvf60BtyAlDz4ZCanpB8v1IvFxQcW0TQKIZjXTFbkjUyweLLei6qqrEnPa5Zigs2v9ivFyBLwSLlcZeg2LLxUz67Ka+ee/AVGG0bSX3Kye/QF6mz7qIXer/C0A9AJjUQdYKU62tbjZXdbQuTnUZ/kC0NB6CCi7Q8fhDbpsrwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

main.exe

pid process

3040 main.exe

pid	process
3040	main.exe

Loads dropped DLL 2 IoCs

Processes:

dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe

pid	process
2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe
2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2676 DllHost.exe

pid	process
2676	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe

description	pid	process	target process
PID 2564 wrote to memory of 3040	2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe	main.exe
PID 2564 wrote to memory of 3040	2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe	main.exe
PID 2564 wrote to memory of 3040	2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe	main.exe
PID 2564 wrote to memory of 3040	2564	dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe	main.exe

C:\Users\Admin\AppData\Local\Temp\dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe
"C:\Users\Admin\AppData\Local\Temp\dfc7edf1c78ecbd66f71ffa2b90ed14afa8163eb752650f3a411b780006a5127.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564

C:\windows\temp\main.exe
"C:\windows\temp\main.exe"
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\main.exe
Filesize
1.8MB

MD5
cde98fef18f15ebc886f13cbd446228e

SHA1
4ef7fead6e24a5f93b21712e049632fba7baf7f0

SHA256
11924363bbb2981801b4680310b2de31a44774868ded45f228f7e03179bc3bd9

SHA512
fcb65475cfe7d5ed96b080bfadcb1536bb377a83d67b71c0b50c0b80b6a36f9d9d8a61f8b3d971616b7493e6b3b574b3df6e1efeedece53d7716a18e25f70acd

Download Submit
C:\Windows\Temp\main.exe
Filesize
1.8MB

MD5
cde98fef18f15ebc886f13cbd446228e

SHA1
4ef7fead6e24a5f93b21712e049632fba7baf7f0

SHA256
11924363bbb2981801b4680310b2de31a44774868ded45f228f7e03179bc3bd9

SHA512
fcb65475cfe7d5ed96b080bfadcb1536bb377a83d67b71c0b50c0b80b6a36f9d9d8a61f8b3d971616b7493e6b3b574b3df6e1efeedece53d7716a18e25f70acd

Download Submit
C:\windows\temp\微信图片_20230907133836.png
Filesize
8KB

MD5
596d110f9ccce7b6a0203d13f34978b9

SHA1
a2d3e4af967cf4306be63aba6c387e2e0873e894

SHA256
d5cc87c4a8194969a84de4e6127bbc832ed86f101996f67943137f07697cbe19

SHA512
0317b21ba3b66e0b7d56c82c70b8f85986fc9bd4e09e00e546cae8bf2333e8bc8399d79d931787898060379ff65a0a0871e280ce18ebd286be21942115fdc29b

Download Submit
\Windows\Temp\main.exe
Filesize
1.8MB

MD5
cde98fef18f15ebc886f13cbd446228e

SHA1
4ef7fead6e24a5f93b21712e049632fba7baf7f0

SHA256
11924363bbb2981801b4680310b2de31a44774868ded45f228f7e03179bc3bd9

SHA512
fcb65475cfe7d5ed96b080bfadcb1536bb377a83d67b71c0b50c0b80b6a36f9d9d8a61f8b3d971616b7493e6b3b574b3df6e1efeedece53d7716a18e25f70acd

Download Submit
\Windows\Temp\main.exe
Filesize
1.8MB

MD5
cde98fef18f15ebc886f13cbd446228e

SHA1
4ef7fead6e24a5f93b21712e049632fba7baf7f0

SHA256
11924363bbb2981801b4680310b2de31a44774868ded45f228f7e03179bc3bd9

SHA512
fcb65475cfe7d5ed96b080bfadcb1536bb377a83d67b71c0b50c0b80b6a36f9d9d8a61f8b3d971616b7493e6b3b574b3df6e1efeedece53d7716a18e25f70acd

Download Submit
memory/2564-15-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

Filesize
8KB

Download
memory/2676-16-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2676-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3040-12-0x0000000002020000-0x0000000002061000-memory.dmp

Filesize
260KB

Download
memory/3040-14-0x00000000287B0000-0x00000000287FF000-memory.dmp

Filesize
316KB

Download
memory/3040-19-0x00000000287B0000-0x00000000287FF000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads