cobaltstrike | 84230a9a5a6ed08e6247f66f234ffdd1701c7794b43714a5d4f72474b6b406a0

Sharing

Copy URL

Twitter E-mail

General

Target

84230a9a5a6ed08e6247f66f234ffdd1701c7794b43714a5d4f72474b6b406a0
Size

588KB
MD5

20f979c53427625891c177d35fa57b7a
SHA1

cffb95072cf3f6b7b7a1f83bf6a5740f1987d57c
SHA256

84230a9a5a6ed08e6247f66f234ffdd1701c7794b43714a5d4f72474b6b406a0
SHA512

76ed80ceed1c65a0e99eaae38eebdc9f566caa16290a8d2d588732b394494ba6a1760f24b8f13a264d61739637f35f72d75db4353a262b47d8795f6819c35935
SSDEEP

6144:M9l4W/pvV3VNNDGbpjTvAXuvO+bJqVG5d1IpMyibgkTZI6jHID90arBXHH/u6GUv:M9l4MVgTYob3d6tevox7BX/u6Gm

Score

10^/10

100000 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://192.168.66.132:7777/match

Attributes

access_type
512
host
192.168.66.132,/match
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
7777
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAhPuyUvtW0iB/n8XKazSHkXOX/JF7L/pikKWSpqmCYzeVHFdAKafRwFwoAbITkpPdmRqSIf22/LwEQ6Sau++/iTF1lk5WqknGe3LK8Ib3AvpbK5tbRRomwLAPWr0BeNDPWpD/7IUUXeGPlfO2sNfeE3xo2Mr6kdb6WevUB6lZ3QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
watermark
100000

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
84230a9a5a6ed08e6247f66f234ffdd1701c7794b43714a5d4f72474b6b406a0

Files

84230a9a5a6ed08e6247f66f234ffdd1701c7794b43714a5d4f72474b6b406a0
.exe windows:6 windows x64

2917a8fa7e6670f49a64f9ae807db3b1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlNtStatusToDosError
NtWriteFile
NtAllocateVirtualMemory
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtTestAlert
NtQueueApcThread
NtProtectVirtualMemory
NtWriteVirtualMemory

advapi32

SystemFunction036

kernel32

UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetCurrentThreadId
SetUnhandledExceptionFilter
GetSystemTimeAsFileTime
TlsSetValue
TlsGetValue
CreateThread
GetSystemDirectoryW
CloseHandle
ReleaseSRWLockExclusive
FreeEnvironmentStringsW
ReleaseMutex
ReleaseSRWLockShared
CompareStringOrdinal
GetLastError
AddVectoredExceptionHandler
SetThreadStackGuarantee
AcquireSRWLockExclusive
GetCurrentProcess
GetCurrentThread
GetProcAddress
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
DuplicateHandle
GetStdHandle
GetCurrentProcessId
WriteFileEx
SleepEx
ReadFileEx
WaitForSingleObject
TryAcquireSRWLockExclusive
QueryPerformanceCounter
HeapAlloc
GetProcessHeap
HeapFree
HeapReAlloc
AcquireSRWLockShared
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetModuleHandleA
CreateFileW
GetConsoleMode
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
GetFullPathNameW
CreateNamedPipeW
IsProcessorFeaturePresent
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
MultiByteToWideChar
WriteConsoleW

bcrypt

BCryptGenRandom

vcruntime140

_CxxThrowException
__C_specific_handler
__current_exception_context
__current_exception
memcmp
memmove
memset
memcpy
__CxxFrameHandler3

api-ms-win-crt-runtime-l1-1-0

_seh_filter_exe
_set_app_type
_crt_atexit
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
__p___argc
__p___argv
_cexit
_register_onexit_function
_register_thread_local_exe_atexit_callback
_c_exit
terminate
_initialize_onexit_table

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode

Sections

.text
Size: 237KB - Virtual size: 237KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 335KB - Virtual size: 334KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

2917a8fa7e6670f49a64f9ae807db3b1

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

advapi32

kernel32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 237KB - Virtual size: 237KB

.rdata Size: 335KB - Virtual size: 334KB

.data Size: 512B - Virtual size: 792B

.pdata Size: 12KB - Virtual size: 11KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 237KB - Virtual size: 237KB

.rdata
Size: 335KB - Virtual size: 334KB

.data
Size: 512B - Virtual size: 792B

.pdata
Size: 12KB - Virtual size: 11KB

.reloc
Size: 2KB - Virtual size: 1KB