cobaltstrike | 184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll
Size

298KB
MD5

9bf777a32e84db48ce71e1e06fafd441
SHA1

ccfc23046955a103b3835023a3468d6dc2ffd01f
SHA256

184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801
SHA512

dbf04c347a531b8856e2a87af85cde09d444ada6fcd362ba77e6122f7ce85996a4cc338e66bcc10ea0a5980e3d5ac5431d231488d274197f78fcb8e5fee4a1d5
SSDEEP

6144:CHzp4qIDRd6EqFmcCBk9LHZEPSZ/Of626BioBRXFsjf3FOUXzsezZOyMm:izp4qIDqRi8ZEatP26BzzUP

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://43.138.44.158:15999/socialapiVersion=1.1

Attributes

access_type
512
host
43.138.44.158,/socialapiVersion=1.1
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAdSG9zdDogb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20AAAAKAAAAKVJlZmVyZXI6IGh0dHBzOi8vb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEZXRhZwAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
30000
port_number
15999
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDNXFfUSnRiMrus01oooCz6LOvdmjEE+7t+6lWJPjRacCsjD36xkeHkaQzYHqBIcp+IjzNOQWAkZeqSKWsWAdUzYDFb4JxRk+REfYtFkqJdO6vJYr9HeSBbcvIVifI4mnpePP5LjtfV9x8AHu1EGqJVJ6LIkucf4QWdZlyxuV5pQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.657621248e+09
unknown2
AAAABAAAAAEAAAdZAAAAAgAAB/IAAAACAAAD+AAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/socialapiVersion=2.0&include_base=true
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.26
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3888 set thread context of 740 3888 rundll32.exe notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3888 rundll32.exe
3888 rundll32.exe

description	pid	process	target process
PID 3888 set thread context of 740	3888	rundll32.exe	notepad.exe

pid	process
3888	rundll32.exe
3888	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3888 wrote to memory of 740	3888	rundll32.exe	notepad.exe
PID 3888 wrote to memory of 740	3888	rundll32.exe	notepad.exe
PID 3888 wrote to memory of 740	3888	rundll32.exe	notepad.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\system32\notepad.exe
notepad.exe
2⤵
PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-0-0x000002B5A4630000-0x000002B5A4671000-memory.dmp

Filesize
260KB

Download
memory/740-1-0x00007FFA30590000-0x00007FFA3065D000-memory.dmp

Filesize
820KB

Download