cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

Note.zip
Size

480KB
Sample

231011-n743tadg7z
MD5

ea4ace88d15a3d49a0895d90a08a5727
SHA1

f768d846afc4c18a704e8cd6577d4ce27c589050
SHA256

09233ec1998287e1addfde586c10fe3493ac90fa51d2bb0ed95a5bf685f258fe
SHA512

3b8d72e1088d7f44185122044c248f63290362249669472e93f8720b262cfae4d394fbc171bec71a85a1e8b7cc1ec245ac8793652def740bb49712baeab22c21
SSDEEP

12288:ZEAXFoCAybvB/9P5gKLOqi3adPla3X9WXVKfpwbk3tQ:ZxXvbxpqKLOqiKdNaUXVIwY3i

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

http://communitypowersports.com:443/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv

Attributes

access_type
512
beacon_type
2048
host
communitypowersports.com,/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv
http_header1
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAIFDb29raWU6IE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7Q2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTtNU1BBdXRoPTNFa0FqREtqSTt4aWQ9NzMwYmY3O3dsYTQyPVRjbjRneEYAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAF0NsaWVudElkPTFDMEY2QzVEOTEwRjk7AAAAAgAAADhNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0OwAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
4608
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\powercfg.exe
sc_process64
%windir%\sysnative\powercfg.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChORoRab4XO67pj8I4W5dFIKj5UO6AYl1yopRsh5SeYN9Lp9iGQj0lmOSGykZioM7hXD6GM6XjpjhvS0sUa5/3ApIhS8XosTs2Tk7iHNQJJuFsIIwpWSCHO3GM6HEJxqgeFIRN5UY+oOcg/JJJJZaG8kJoo4dDeMtF7kD12wViTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/owa/o9besAWTTVJKNeyrfOOy2tn-epXE7f
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.0 Safari/537.36 Edg/80.0.361.0
watermark
1359593325

Targets

- Target
  
  AppvIsvSubsystems64.dll
- Size
  
  26KB
- MD5
  
  f532c0247b683de8936982e86876093b
- SHA1
  
  f61e0d09be2fc81d6f325aa7041be6136a747c2d
- SHA256
  
  ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50
- SHA512
  
  1f0407494f5ad0ae76bfb64ec045ee7fe14a0495a8266159c22c64463e2cd5b6069ce6fe6d1a611ea28d8b3231dc947db112b09deb9f6e7d386ca5363f5b4b6d
- SSDEEP
  
  384:Op74mPLg9imSv9SKRaqIqOIYJOlJhqUqmbDhEZjunblk:Op74uUiaKRaq+IY2MmbDhWjun
Score

1^/10
behavioral1 behavioral2
- Target
  
  Note .exe
- Size
  
  1.6MB
- MD5
  
  83863beee3502e42ced7e4b6dacb9eac
- SHA1
  
  d9d40cb3e2fe05cf223dc0b592a592c132340042
- SHA256
  
  cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27
- SHA512
  
  7412dd1d752d73018bbd3eb1df637674a8be0b82ab608155b35ab3b728f7dae8c8d5420eac69fda8e7054a99628bed8adce7ab9236af0ce138758a51b50d4561
- SSDEEP
  
  6144:lkxsldgbztkAzkAZqrEdrEAZUCwFjNNJKa:lkxsluNPqrEdrEBd
Score

10^/10

cobaltstrike 1359593325 backdoor persistence trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  envsrv.dll
- Size
  
  56KB
- MD5
  
  2ffaa8cbc7f0d21d03d3dd897d974dba
- SHA1
  
  6dff9a9f13300a5ce72a70d907ff7854599e990a
- SHA256
  
  cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b
- SHA512
  
  a40e053f283181634da4882c8d000bf7444cb727b21108808cab416dd1ba4314133aa7d8be8916c91aa0e564d63947971bd6396dce45893f20498ac62c7a8ed6
- SSDEEP
  
  768:KQNhSWjo4jqjJ1Ybqq/HAISOegJwb/U5jNJtX95zXW3EuNMyySsvdWI9w8RDGUFq:JhSx4jCOOq6OVEs9Le8RyUFDgqg
Score

1^/10
behavioral5 behavioral6
- Target
  
  mschost.dll
- Size
  
  391KB
- MD5
  
  5b6d8a474c556fe327004ed8a33edcdb
- SHA1
  
  a677b6aa958fe02cac0730d36e8123648e02884f
- SHA256
  
  86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c
- SHA512
  
  e7ea57e545fab86afe8b9cf1f760e49911e4c076abe61b2b93ff6e075c181b78942aff575244e2d29356a80f88122d3ecb23d5426615cce4b76dd17a14094837
- SSDEEP
  
  6144:FCJnalmkhmTBbPrQQEXummT6RVx7YVvJzROPOGjJT:FCEokhlQEyYVxErQP
Score

1^/10
behavioral7 behavioral8
- Target
  
  msword.dll
- Size
  
  53KB
- MD5
  
  abc87df854f31725dd1d7231f6f07354
- SHA1
  
  e418d37fdcf4c288884bfe744b416cbdb0243a9e
- SHA256
  
  efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e
- SHA512
  
  667835fa3c70db6b14072cf86d9a155ce8cb60ffdb23d22ce4e8248f2570608fca6c8f84e86a7250d6652fec78607830f9edc952ea84e537a47196d987e3a1f3
- SSDEEP
  
  768:asdzNiDNkTpOnIqt3VCfSJcb5J/yDHoEAs3FpVFCjN1I915ys+m9QuZFGR6Zmxg:aU2uQn33wSJavz1c15T+m9QuZFGcZA
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10