cobaltstrike | 7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
Size

6.5MB
MD5

0505b8668e11aac4acd044495dffbb37
SHA1

7718e707295a049de73f6c1ca193346aa772092d
SHA256

7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f
SHA512

25e3b249e5fc4449657195cf7e7828ab307d50f1b6e58f3ef94d4dae25f6940a456ffce251492e1a396ae662d387b1b090ceaeac2ad6da6e8da8dd55998246a5
SSDEEP

196608:JhaOjdQmRJ8dA6l7aycBIGpEyUXIZVchV88LG:vdQusl29bchV8p

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://194.29.187.194:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

100000

http://194.29.187.194:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
194.29.187.194,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuPf3kkkjVLT/eFY5OYOqyRdaP1EHIMlX3z1BkoOdRmjXH7+NIq/yUmJmsne/2K4NzNIuzy7otrj8rXzipEB1wGK6meWzYGenK10sK1sYD+dYZcxbp5d9tD8t8tvTbyJ1Ghulc0rl5FsMIWK9NAlbltnqwAuAPbellIARSBC/xwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

Processes:

7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe

pid	process
3804	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
3804	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
3804	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
3804	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
3804	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe

description	pid	process	target process
PID 3820 wrote to memory of 3804	3820	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
PID 3820 wrote to memory of 3804	3820	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe	7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe

C:\Users\Admin\AppData\Local\Temp\7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
"C:\Users\Admin\AppData\Local\Temp\7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe
"C:\Users\Admin\AppData\Local\Temp\7ef77c120d97da284eccce764cf47c26c1a80457d53c2d011b6ba0288942f02f.exe"
2⤵
- Loads dropped DLL
PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI38202\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_ctypes.pyd
Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\_ctypes.pyd
Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\base_library.zip
Filesize
1.0MB

MD5
d81549c54d36ca0ba6fe889bd0b3cf07

SHA1
a2c9fddd9071154871f137a49f8f540f1a5c7682

SHA256
09c22fb8c254f2bb0f451383f78177a712f1cc859bb8dffac03d128b9fcbf335

SHA512
93e02ea3f420659bbcc7ae30724294a829fdba6e9930679de3e6be8c3a86ca2c436d360a797cad16a0215aa1585a4baa8f68e6f4bd27f1879d4c7621e9642669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\ucrtbase.dll
Filesize
1.1MB

MD5
56c350293b27d61410f9d212f6f4b8f3

SHA1
4b11908f434e2eb1b253d0023660381b349eb09a

SHA256
b30c5de351714e033b9e835158f008c96f17e492a85bfb1bddb3424d286b59fc

SHA512
3281e85a741e73f134289b5cae5304b5f236117d605b98987a25251ea4cc1bc37718765485892f0163c4496f5ebd2290e23989573aea84f1537441dd33cb711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38202\ucrtbase.dll
Filesize
1.1MB

MD5
56c350293b27d61410f9d212f6f4b8f3

SHA1
4b11908f434e2eb1b253d0023660381b349eb09a

SHA256
b30c5de351714e033b9e835158f008c96f17e492a85bfb1bddb3424d286b59fc

SHA512
3281e85a741e73f134289b5cae5304b5f236117d605b98987a25251ea4cc1bc37718765485892f0163c4496f5ebd2290e23989573aea84f1537441dd33cb711b

Download Submit
memory/3804-66-0x0000025912250000-0x0000025912251000-memory.dmp

Filesize
4KB

Download
memory/3804-67-0x0000025912720000-0x0000025912B92000-memory.dmp

Filesize
4.4MB

Download
memory/3804-68-0x0000025912320000-0x0000025912720000-memory.dmp

Filesize
4.0MB

Download