cobaltstrike | 66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e

Analysis

max time kernel
144s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 11:38

Target

66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
Size

1.4MB
MD5

1eb04ec39c477b669e5c2a4d9cadb311
SHA1

7426f4221d0f2807805117e2f40b593da4744d1d
SHA256

66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e
SHA512

50c13a2be956abec07f188da7e7a2cb01b5ff67b8a8e2b31c865f28784352fcccbcaa4bd76b9af543440b14f98f1d93e2c9dd5ab2292daa238facb8914d11249
SSDEEP

24576:qt2DaDYipbx9vetzrTpykpqRYlGdADD7HXxydNAILXSze9p8LklA:qEDSY8af8YlcAbHXcdNRX4eQLk2

Score

10^/10

Family

cobaltstrike

http://47.94.214.199:80/zLDS

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
2984	66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe

C:\Users\Admin\AppData\Local\Temp\66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe
"C:\Users\Admin\AppData\Local\Temp\66d3588aba78c75a1cef6e2ef78658995e9bd7ac5bae3a146555e9e1552f390e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2984

memory/2984-0-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2984-1-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2984-2-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2984-3-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2984-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2984-5-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download