cobaltstrike | a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
Size

6.6MB
MD5

78926bedc1443515fc3fecefaef71d3a
SHA1

a552abc794ba66ad9e7e4cdd60dc0183b5e3f054
SHA256

a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563
SHA512

b4c836d391dfe80a0e84eda0cb24dd8c16d3230639ab5a2315611fbdfa05af7ec69f82f6192f4292e19ed9945e7638d6eb50ef612110c10b4bbd347973eba434
SSDEEP

196608:kcFaxmvdsCnc84njQthsiHzYSEz7kAzZW9y:zaUvaCncdnKhsay7w

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://103.101.205.55:2333/pR3h

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)

Extracted

Family

cobaltstrike

Botnet

391144938

http://103.101.205.55:2333/cm

Attributes

access_type
512
host
103.101.205.55,/cm
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
2333
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChjal7EGSVmle25QWETISuLg+zIQO37PeEPIaS10sC3bFZ1MH3lFSVi2goW8mJhn4API+4eTA76kt9hv4+JIkeNse/N9kdGMmjedjR3CxdPWYR4nsk5VjF0IdNQVFfeUaUjK6iaYHvORDYuqO9InPwVBCWlch3PpI3GuTR8HS8FQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 10 IoCs

pid	Process
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
3972	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3972	4800	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe	88
PID 4800 wrote to memory of 3972	4800	a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe	88

C:\Users\Admin\AppData\Local\Temp\a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
"C:\Users\Admin\AppData\Local\Temp\a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe
  "C:\Users\Admin\AppData\Local\Temp\a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563.exe"
  2⤵
  - Loads dropped DLL
  PID:3972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_ctypes.pyd

Filesize
116KB

MD5
41a9708af86ae3ebc358e182f67b0fb2

SHA1
accab901e2746f7da03fab8301f81a737b6cc180

SHA256
0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf

SHA512
835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_ctypes.pyd

Filesize
116KB

MD5
41a9708af86ae3ebc358e182f67b0fb2

SHA1
accab901e2746f7da03fab8301f81a737b6cc180

SHA256
0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf

SHA512
835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_hashlib.pyd

Filesize
58KB

MD5
f63da7f9a4e64148255e9d3885e7a008

SHA1
756dc192e7b2932df147c48f05ec5e38e9aa06e6

SHA256
fa0bb4bf93a6739ce5ade6a7a69272bbc1227d09c7afc1c027d6cea41141bcc6

SHA512
23d06def20c3668613392a02832777b27ad5353e1dc246316043b606890445d195a1066fca65300a5d429319aa2ae2505f9fa3a5ab0f97aba2717b64aaa07e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_hashlib.pyd

Filesize
58KB

MD5
f63da7f9a4e64148255e9d3885e7a008

SHA1
756dc192e7b2932df147c48f05ec5e38e9aa06e6

SHA256
fa0bb4bf93a6739ce5ade6a7a69272bbc1227d09c7afc1c027d6cea41141bcc6

SHA512
23d06def20c3668613392a02832777b27ad5353e1dc246316043b606890445d195a1066fca65300a5d429319aa2ae2505f9fa3a5ab0f97aba2717b64aaa07e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\base2048\base2048.pyd

Filesize
257KB

MD5
4b037dd533d0fe2149d2bb88c3572f57

SHA1
fdb6c15cac19871dcaaa09096267e9d58c99dd76

SHA256
919e88adcc9ec94c18e612d0f371829397936e5a00aef2b902a743dc25e001cf

SHA512
76f4664ea5cc87fd047d86beae39d07abd22b3d3f569ccee8855c1d81d0eb75fa9dd89018d7497558acacc7b825b5b43f9e2f710aef83b2fc9f88596edce49f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\base2048\base2048.pyd

Filesize
257KB

MD5
4b037dd533d0fe2149d2bb88c3572f57

SHA1
fdb6c15cac19871dcaaa09096267e9d58c99dd76

SHA256
919e88adcc9ec94c18e612d0f371829397936e5a00aef2b902a743dc25e001cf

SHA512
76f4664ea5cc87fd047d86beae39d07abd22b3d3f569ccee8855c1d81d0eb75fa9dd89018d7497558acacc7b825b5b43f9e2f710aef83b2fc9f88596edce49f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\base_library.zip

Filesize
1.0MB

MD5
a527ac513c61e127025473f1cb886852

SHA1
f8f6d2d62c401713069105fecb22a909452c96d9

SHA256
13f0b60f720e0c13ebf0da4187ccca0fad9700d976f9c37bdce059eea4076933

SHA512
8f472c8ae9e780251b74a6c75dd4a98c6f6876f38e2df90d26aff3c9e546ffe75555ad26d85510c9e4264e15ce9b2e6247759e81af993c45c8db11a22081c6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c756d74c729d6d24da2b8ef596a391

SHA1
7610bb1cbf7a7fdb2246be55d8601af5f1e28a00

SHA256
17d0f4c13c213d261427ee186545b13ef0c67a99fe7ad12cd4d7c9ec83034ac8

SHA512
d9cf045bb1b6379dd44f49405cb34acf8570aed88b684d0ab83af571d43a0d8df46d43460d3229098bd767dd6e0ef1d8d48bc90b9040a43b5469cef7177416a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c756d74c729d6d24da2b8ef596a391

SHA1
7610bb1cbf7a7fdb2246be55d8601af5f1e28a00

SHA256
17d0f4c13c213d261427ee186545b13ef0c67a99fe7ad12cd4d7c9ec83034ac8

SHA512
d9cf045bb1b6379dd44f49405cb34acf8570aed88b684d0ab83af571d43a0d8df46d43460d3229098bd767dd6e0ef1d8d48bc90b9040a43b5469cef7177416a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python3.DLL

Filesize
60KB

MD5
c38e9571f33898eb9f3da53dc29b512f

SHA1
5be348c829b6dfa008d0dd239414ad388e5d7ace

SHA256
70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79

SHA512
1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python3.dll

Filesize
60KB

MD5
c38e9571f33898eb9f3da53dc29b512f

SHA1
5be348c829b6dfa008d0dd239414ad388e5d7ace

SHA256
70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79

SHA512
1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python3.dll

Filesize
60KB

MD5
c38e9571f33898eb9f3da53dc29b512f

SHA1
5be348c829b6dfa008d0dd239414ad388e5d7ace

SHA256
70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79

SHA512
1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python310.dll

Filesize
4.2MB

MD5
c6c37b848273e2509a7b25abe8bf2410

SHA1
b27cfbd31336da1e9b1f90e8f649a27154411d03

SHA256
b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8

SHA512
222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python310.dll

Filesize
4.2MB

MD5
c6c37b848273e2509a7b25abe8bf2410

SHA1
b27cfbd31336da1e9b1f90e8f649a27154411d03

SHA256
b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8

SHA512
222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\ucrtbase.dll

Filesize
986KB

MD5
adf1342f52833831d2a67115b2c9e9e8

SHA1
88bf825535a19e7b2c42b68e6378af821bc75148

SHA256
83d31cbced68513824465dae16b5f01f21baaabad3ae4f2dbfbd39dadeee7a0c

SHA512
23b708e74d653bc3dd4c73ecc10dc48df09e53c19079c17174b13b3f842d4e81540ed3b87feb2f7ae2e77be77c271d459fc7608a443725a242c9c52c00f6f4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\ucrtbase.dll

Filesize
986KB

MD5
adf1342f52833831d2a67115b2c9e9e8

SHA1
88bf825535a19e7b2c42b68e6378af821bc75148

SHA256
83d31cbced68513824465dae16b5f01f21baaabad3ae4f2dbfbd39dadeee7a0c

SHA512
23b708e74d653bc3dd4c73ecc10dc48df09e53c19079c17174b13b3f842d4e81540ed3b87feb2f7ae2e77be77c271d459fc7608a443725a242c9c52c00f6f4e4

Download Submit
memory/3972-76-0x00000295F5D20000-0x00000295F5D21000-memory.dmp

Filesize
4KB

Download
memory/3972-77-0x00000295F5DE0000-0x00000295F61E0000-memory.dmp

Filesize
4.0MB

Download
memory/3972-78-0x00000295F61E0000-0x00000295F6232000-memory.dmp

Filesize
328KB

Download
memory/3972-79-0x00000295F6460000-0x00000295F6462000-memory.dmp

Filesize
8KB

Download
memory/3972-80-0x00000295F61E0000-0x00000295F6232000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads