Overview

overview

10

Static

static

3

en.exe

windows7-x64

7

en.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    en.exe

  • Size

    506KB

  • Sample

    231026-r3mjraeb64

  • MD5

    cc4d32788b1765e85ff308bbfb0669ff

  • SHA1

    8152e6df7d47324f74335afe052df4bbe3720ea9

  • SHA256

    24d1f37fcb742f7fff67001d83952fa6f83ff9b035bb839b7a4473933759e9fb

  • SHA512

    82f702e4ff7b8d7fd543388f5f8451043031a999f395a21cecdeb8a6e9d0bb72067b8ea213e596288ec03d9f4df51f5efe108d3ce490ac55970492584fc0044f

  • SSDEEP

    6144:+eJlTe5Rhyk6JBYIchAko6TtMO+QohfDIdEN+8e9Ea88VhwhFtAdkP/uCUYR8B/t:RJZwRkk6buhRTQQov1e8rhvxWhFWg

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://cins.hin7lostvas.pro:2083/groupcp.css

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    cins.hin7lostvas.pro,/groupcp.css

  • http_header1

    AAAAEAAAABpIb3N0OiBjaW5zLmhpbjdsb3N0dmFzLnBybwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAD1BY2NlcHQtTGFuZ3VhZ2U6IGZyLUNILCBmcjtxPTAuOSwgZW47cT0wLjgsIGRlO3E9MC43LCAqO3E9MC41AAAABwAAAAAAAAALAAAAAwAAAAIAAAAFU1NJRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABpIb3N0OiBjaW5zLmhpbjdsb3N0dmFzLnBybwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAADQAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    56539

  • port_number

    2083

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.17567488e+09

  • unknown2

    AAAABAAAAAIAAAPVAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /kj

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

  • watermark

    100000

Targets

    • Target

      en.exe

    • Size

      506KB

    • MD5

      cc4d32788b1765e85ff308bbfb0669ff

    • SHA1

      8152e6df7d47324f74335afe052df4bbe3720ea9

    • SHA256

      24d1f37fcb742f7fff67001d83952fa6f83ff9b035bb839b7a4473933759e9fb

    • SHA512

      82f702e4ff7b8d7fd543388f5f8451043031a999f395a21cecdeb8a6e9d0bb72067b8ea213e596288ec03d9f4df51f5efe108d3ce490ac55970492584fc0044f

    • SSDEEP

      6144:+eJlTe5Rhyk6JBYIchAko6TtMO+QohfDIdEN+8e9Ea88VhwhFtAdkP/uCUYR8B/t:RJZwRkk6buhRTQQov1e8rhvxWhFWg

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks