cobaltstrike | ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

General

Target

ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
Size

82KB
MD5

e3571a16f67482e4614ea047b9d7f1e7
SHA1

27692eafcf957721e1935f52d23e4a92ff3ebc92
SHA256

ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
SHA512

24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370
SSDEEP

1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm

Score

10^/10

cobaltstrike metasploit 391144938 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://101.34.222.38:8081/JsFY

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://101.34.222.38:8081/load

Attributes

access_type
512
host
101.34.222.38,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8081
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3NwQWsqvq+XSFe/EjAzMJhY8xqwi14YBYjK+/ja1RTMe1mfTBtCoTyS8zstORfS172w4dWmA+KR7xxEqz1J0ZtIXjGjWtRlQiCIIqPHPAu0mbPckYHwu1xJkKqEaH9XqA5t5ZWgK93jZzFZkNLu7BKusiC9xxspe/QhRY4BvuZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2036	rundll32.exe
5	2036	rundll32.exe
6	2036	rundll32.exe
7	2036	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2036	1220	rundll32.exe	29

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1172 wrote to memory of 1220	1172	rundll32.exe	28
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29
PID 1220 wrote to memory of 2036	1220	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe
    3⤵
    - Blocklisted process makes network request
    PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-0-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2036-2-0x00000000028B0000-0x0000000002CB0000-memory.dmp

Filesize
4.0MB

Download
memory/2036-3-0x00000000004D0000-0x0000000000511000-memory.dmp

Filesize
260KB

Download
memory/2036-4-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads