cobaltstrike | 8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c

Analysis

max time kernel
133s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
Size

216KB
MD5

d2fd12b6af179ae7c4ad6a090f7d5c25
SHA1

516f3edd3c00776f4c325decb6ddf29a6f1d2fd3
SHA256

8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c
SHA512

d59136a39cbe504d9f30b8f52cef83121953dfefc17ae0e79f9d39872362cb3004229f0dc9d050a044787c2ddc7929722a74413e29ed4780871c88c50317712a
SSDEEP

3072:kK8DwCtyxm16c2mvM7XpQoyq8f2Rc5XLYf+qdddkg7BiOxjbHoc:kK8DwFm16QgqJEfCGdc

Score

10^/10

cobaltstrike 1580103824 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

http://paymentsolo.online:443/menu/dashboard/6TRE23

Attributes

access_type
512
beacon_type
2048
host
paymentsolo.online,/menu/dashboard/6TRE23
http_header1
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAcAAAAAAAAAAwAAAAIAAAAKUEhQU0VTU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAEhBY2Nlc3MtQ29udHJvbC1SZXF1ZXN0LUhlYWRlcnM6IGNvbnRlbnQtdHlwZSx4LWdvb2ctYXBpLWtleSx4LXVzZXItYWdlbnQAAAAKAAAAFVNlYy1GZXRjaC1EZXN0OiBlbXB0eQAAAAoAAAAUU2VjLUZldGNoLU1vZGU6IGNvcnMAAAAKAAAAGlNlYy1GZXRjaC1TaXRlOiBjcm9zcy1zaXRlAAAABwAAAAAAAAADAAAAAgAAAApQSFBTRVNTSUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjkWvHnxN+a3eaUDaQ4sLAhhbALgwfkCSfxkz5OIOOQa/XO+oxZg5yD6F9uyQmvtwZMhku91jaGiJpf8qJQxOzsTZWeVsHyzFj6qZLOvTGzMM2A8/2S6Il5UvEImGXtsE7o+2AWBhEGFteJKcHtc1eJkWKbVkCBYbGknkcYgT/zQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/menu/dashboard/6JSM74
user_agent
Mozilla/5.0 (Linux; Android 8.1.0; CPH1853) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Mobile Safari/537.36 EdgA/110.0.1588.77
watermark
1580103824

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

4 2732 rundll32.exe
6 2732 rundll32.exe
7 2732 rundll32.exe

flow	pid	process
4	2732	rundll32.exe
6	2732	rundll32.exe
7	2732	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 2732	2872	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#1
2⤵
- Blocklisted process makes network request
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-0-0x0000000077BA0000-0x0000000077C76000-memory.dmp

Filesize
856KB

Download
memory/2732-1-0x0000000000140000-0x0000000000174000-memory.dmp

Filesize
208KB

Download
memory/2732-4-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download
memory/2732-3-0x0000000000140000-0x0000000000174000-memory.dmp

Filesize
208KB

Download
memory/2732-5-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download