cobaltstrike | 70b163b51cc2eb395fe23a7689c91aebb9513c6b950ebff15cabdb89e128dbd9

General

Target

payload.ps1
Size

3KB
MD5

8da5f9fd40e27ead70101dfc32694137
SHA1

8a0d2a9a764b2b49792675d445f1a020d9f06c89
SHA256

70b163b51cc2eb395fe23a7689c91aebb9513c6b950ebff15cabdb89e128dbd9
SHA512

0e5d7bac0c19425e169d66bb2d0fafd3d72fe1650c70a86682f655a2b19d82ed65d46c8512fabc0f164e35d24988db4a60ed8ece4c701b860b6e0de37ab3d8dd

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://118.25.18.151:80/jj6S

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://118.25.18.151:80/fwlink

Attributes

access_type
512
host
118.25.18.151,/fwlink
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ4th1Ky+6GMgff3OVHA/3iK2RRa2eR079bSRfzGnhKGJL1275jkymmo9U2uzap5XJ8mU97zwN1HAF1UGNyyVRByT5/v5YD5GZRWePbdnB4EJhuyOQahNvN2yvgXJbx/JmzeL/NNjKoqYN0agry82gOQmgUvoO0f0czjnaAmZBjQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

3 2508 powershell.exe
5 2508 powershell.exe
6 2508 powershell.exe
7 2508 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2508 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2508 powershell.exe

flow	pid	process
3	2508	powershell.exe
5	2508	powershell.exe
6	2508	powershell.exe
7	2508	powershell.exe

pid	process
2508	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2508	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\payload.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-4-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2508-6-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-5-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2508-7-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-8-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-9-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-10-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-11-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-12-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2508-13-0x000000001D060000-0x000000001D460000-memory.dmp

Filesize
4.0MB

Download
memory/2508-14-0x0000000002760000-0x00000000027AF000-memory.dmp

Filesize
316KB

Download
memory/2508-15-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-16-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-17-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-18-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2508-19-0x0000000002760000-0x00000000027AF000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads