cobaltstrike | 126de5fbab3e23ba914ee715b60df1acd7f8d7116a4ed17db09669b41b40ad81 | Triage

Sharing

General

Target

oci.zip
Size

210KB
Sample

231015-fax91ada9x
MD5

c02a6c513f66ceabea966a8658d5d1f2
SHA1

6ab97d10bc10964a4d7066feaf9a1aeea3671cd0
SHA256

126de5fbab3e23ba914ee715b60df1acd7f8d7116a4ed17db09669b41b40ad81
SHA512

08c81b5f5ddc38c9f9b85901ac9775880464fe1c2064313e9ae4e785db4a11c7a255c50c17ccf461c38e766eaccfdbb74586bc77354dea85d19f5eedd64bf820
SSDEEP

6144:Avos1O0DMiOGeZlRHoCZkmVT0h6pmBuUJhKo8iq2FALy1kkI3dc:Aws4KMFih6hLj27I32

Score

10^/10

cobaltstrike 0 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://corp-sbt.company:53/zC

Attributes

access_type
512
beacon_type
256
host
corp-sbt.company,/zC
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
53
sc_process32
%windir%\syswow64\wbem\wmiprvse.exe -Embedding
sc_process64
%windir%\sysnative\wbem\wmiprvse.exe -Embedding
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGansJ7mCLGdtVFTAJlLG5+1HWoHiw/xwZ+9hp4Qkcs3jZPJcxS35msi9EY6SfnthfKNn4EZS4At9BMSjQTA4KPmsR4mfU7VTpzsUnokI+RqG50nhmFdeM0RlSHOP/nmASEpMD3UsENV6DPrlNCvOEG5+oKAMXNpU9v3E0oRWjFQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.153059584e+09
unknown3
1.610612736e+09
watermark
426352781

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  oci.dll
- Size
  
  529KB
- MD5
  
  977f2033e088034cdb05d6704969a84d
- SHA1
  
  68e6bf7eccca4482133368035b21d729b72b2beb
- SHA256
  
  ab50b3e2c03bddc7bb81cf7d9cd11b9abdbe1bc551a7b64e64f4e94807fc75c5
- SHA512
  
  bc7f7286bf04159c14211ff7b551a8f513437dd390b5cd57e78bcdb295936bc2c02eaab4b8d6b2b1ed2facb0bc0c5d81253a4a4d265bbd913bd1136455783b8b
- SSDEEP
  
  12288:OtX0V5RIbQvA8A0ag0r81Qmeh6YnocpXAFgzY:OERnC6YocpXAFgzY
Score

10^/10

cobaltstrike 0 426352781 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike0426352781backdoortrojan

behavioral2

cobaltstrike0426352781backdoortrojan