cobaltstrike

General

Target

zh.exe
Size

506KB
Sample

231026-r4rj4aeb73
MD5

32cf76b724da3f478dfa34fca9b10fbe
SHA1

5cdaedb0ba81498bbb297b21b03a8a8f02bbd536
SHA256

39848b0cc74b6e0f308d99916f8cf8edcb83b5979a028b2891094b1ae07de58e
SHA512

b7f993b868c14d08e30dc4ccd29130c24c5a2d392bd85243c43013dbca0893373a7b3b5646de54b62969749b977ac31838e83eb5f746137089553851630f4160
SSDEEP

6144:/e5ETe5Rhyk6JBYIchAko6TtMO+QohfIndEN+8e9Ea88VhwhFtAdkP/uCUYR8B/t:W5kwRkk6buhRTQQo31e8rhvxWhFWg

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://cins.hin7lostvas.pro:2083/groupcp.css

Attributes

access_type
512
beacon_type
2048
host
cins.hin7lostvas.pro,/groupcp.css
http_header1
AAAAEAAAABpIb3N0OiBjaW5zLmhpbjdsb3N0dmFzLnBybwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAD1BY2NlcHQtTGFuZ3VhZ2U6IGZyLUNILCBmcjtxPTAuOSwgZW47cT0wLjgsIGRlO3E9MC43LCAqO3E9MC41AAAABwAAAAAAAAALAAAAAwAAAAIAAAAFU1NJRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABpIb3N0OiBjaW5zLmhpbjdsb3N0dmFzLnBybwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAADQAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
56539
port_number
2083
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.17567488e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/kj
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
watermark
100000

Targets

- Target
  
  zh.exe
- Size
  
  506KB
- MD5
  
  32cf76b724da3f478dfa34fca9b10fbe
- SHA1
  
  5cdaedb0ba81498bbb297b21b03a8a8f02bbd536
- SHA256
  
  39848b0cc74b6e0f308d99916f8cf8edcb83b5979a028b2891094b1ae07de58e
- SHA512
  
  b7f993b868c14d08e30dc4ccd29130c24c5a2d392bd85243c43013dbca0893373a7b3b5646de54b62969749b977ac31838e83eb5f746137089553851630f4160
- SSDEEP
  
  6144:/e5ETe5Rhyk6JBYIchAko6TtMO+QohfIndEN+8e9Ea88VhwhFtAdkP/uCUYR8B/t:W5kwRkk6buhRTQQo31e8rhvxWhFWg
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2