cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

44ab0ff07eacdeb0f74bffffd16ba826f6a6d7676df320303e0d960122ce51f5_JC.zip
Size

2.3MB
Sample

230924-payp7sga43
MD5

cdeda3924eebe0de7892e3cac1ec8dcc
SHA1

8e5d487277d478630a3921054f1efa8836809bb6
SHA256

44ab0ff07eacdeb0f74bffffd16ba826f6a6d7676df320303e0d960122ce51f5
SHA512

d8d3907e0ef9721824be86110a1f37d307feba08cc17aa2abbf00418eca750b338c73f9fdb6be974071f3ecd37227ede3ccab7bc19b03a569ede633f59fab019
SSDEEP

49152:vgHRfwRwHJNkA4Z8lbpV4bFVirY44m3FGHJPSQtrf8gw/PjYTh8/:4SibkA4aFpIyrltA5Zrf83/rY8

Score

10^/10

cobaltstrike eternity xmrig 0 backdoor clipper collection miner spyware stealer trojan upx

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

44CXkMKGjDvF7no7BaqUNug1jfk2HbibZVTq5QyxtBndGrGhNCSujURPfPuAF81QPKCg2ircpyCKcQkYLR1hsZsQRtnUJxN

1C4hJT5n1tSiGKWup67DAiJdVv6GhjdN7k

bitcoincash:qp7cvk9y54wavs7ymyxs6dg7dsr4jyww3gl7l0u2qu

0x4B2924cc68f9920179ae27423d1b1AFdF1278a16

DMjAHewovYwGUbBRDjLXcBmRF1zdHHixs1

TM5P1JHRL7B6qRLhu1ETn3Fevhjrr4dS8E

LLUBUSsFjwFVyn66kDy5BjumSuQ2Kr76hR

rKGztQSkFyn5wfPg5Bg6JhXKMnRx2pCyDN

t1dmAv1SZBcsbJUpCHN5TEFNUZdGEjTq8o4

Xvm7enX3tAp3Z8xioepTajnCet8FVWMHV7

GC56QYDSZEO3P353Y7FA4YTLGX7YNMQQ7XGZ7O67RTKN7MLGCXCBIEEM

bnb1ydrtrn5fn0ymphv4mc9n2yes6pjhgxnyj5yd7x

2JC8emeKdhgzT8N8m1m6afvAgagAnp8Xpkvcnk6wNKdn

F2J7WG7RTUAEC7JMTB2GNJ2XS3E5UCBBW2R6MBLWUDKINF5ZF7YQ2WBHNA

Extracted

Family

cobaltstrike

Botnet

http://45.66.230.113:120/match

Attributes

access_type
512
host
45.66.230.113,/match
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
120
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
watermark
0

Targets

- Target
  
  Clipper.exe
- Size
  
  36KB
- MD5
  
  a8336c9284c9ef94e43c872a9d851745
- SHA1
  
  ddeab3f743a27717697ce67b1efc5ddc9f6f23e9
- SHA256
  
  160ffdb97712c84d3e7dca1e26924d48cd92afb6c21665df8912cae81cc91d9b
- SHA512
  
  04a7c409c202ff182c8fef28b8bf0dfa1cda362e77940d2c163b5011dfb9980c8221d3caeceb2c4989683f53cb1de910a9b8bcf0ddd5a5d07dcdb7050b4fd68a
- SSDEEP
  
  768:qn3vh2w5xJC2KnNfV8od6cZT5pRkLAgSbX6z:q3vtjaVF5p6LQqz
Score

10^/10

eternity clipper
- Detects Eternity clipper
  clipper
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Miner.exe
- Size
  
  2.0MB
- MD5
  
  b286969b55a9dbb7c7fb450772107ac1
- SHA1
  
  7d261c2b4201352af43cd88a7219afe3af2b17aa
- SHA256
  
  e953bb0c7b8a595c6980f434c2fdd59ca1140df29854dd1c906f9dfcde779c76
- SHA512
  
  2239fd8f38f1f213f7082b155598a5893e8f72da547d1bf1718902a3e5a89c79f51ee9190ab53284961191ce00dad8b42cb9721f40f37af414d8114c2d3f20c1
- SSDEEP
  
  49152:I/HRfSRKPhC6K9iDR3Zibb/O9m4Ujc2GCdLx9E:I/0KJC6KMd3Ka9nHryz
Score

10^/10

xmrig miner upx
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Rat.exe
- Size
  
  281KB
- MD5
  
  f8c994f9200f4155e881ab90ab1598a7
- SHA1
  
  608211dd3ce29cd93bb85aceae5753668cedaa97
- SHA256
  
  7b32248b74221a7079688ad6b857505a22f9de5d0f78100112816918636de0dd
- SHA512
  
  0e5ff8950f3d17d416e0b4929ad2e1a3449c36ff20e344ecaa60566755f0513a1fe64b1c3bc49ed5178a5793d6e853a0c34cf5735f9dbc73af1e71cb886430e4
- SSDEEP
  
  6144:xC6hRwvyDGFJ7AuEDjATIKqWk7e7HqV6TI9X+kGnvFo0e:xRwvyUJ79EDjAcKVqVikGnO0
Score

10^/10

cobaltstrike 0 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral5 behavioral6
- Target
  
  Stealer.exe
- Size
  
  335KB
- MD5
  
  841ce3b003ee2d41c5c6b53a983f31c1
- SHA1
  
  5127475b042a5aaa8ac869d7024082d701a71aad
- SHA256
  
  a5321ffc44084cba8e5bedc4fe98bc151b5f90a01192fa8d695ffcb0c8363ebd
- SHA512
  
  18bf3713cf4d2e23346a70801918b5df4c7cf6d10bda15aba64b92881c5d2b66dfa0bc2f8524e031bb7fc739cdc5177c217f12213083f5cbe0d117632bd7e6a6
- SSDEEP
  
  6144:AwzO189USPgbr8zExVQQdCZiBeB5y0vN4t/xZAbANK:AwzO18CS4xCZi70F8
Score

10^/10

eternity collection spyware stealer
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detects Eternity clipper

Eternity

Looks up external IP address via web service

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

XMRig Miner payload

UPX packed file

Suspicious use of SetThreadContext

Eternity

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8