cobaltstrike | 416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5

General

Target

416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5.exe
Size

2.5MB
MD5

98efd3d462b642ebbd3e1a96e2ae07e9
SHA1

3f16dff9a0af5888b51ec36d6695157addbc129b
SHA256

416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5
SHA512

67389f7ef6db3ee81e6e80e8006a47b625769f5ac2b6a4c17cad0bf158aaebab323502ba980a380bff2e422982cf0efdd997bf5eba1f0b451ea27e0d41c00bd3
SSDEEP

49152:6QYM0aTX4BJiCx/5Grw1NvFtGvwPSJe/qe5:ivaToBIYCw

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://www.kaspresky.top:443/cm

Attributes

access_type
512
beacon_type
2048
host
www.kaspresky.top,/cm
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAXSG9zdDogd3d3Lmthc3ByZXNreS50b3AAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tdXMAAAAKAAAAG0FjY2VwdC1FbmNvZGluZzogdGV4dC9wbGFpbgAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybHRyeXRyeWQAAAAHAAAAAAAAAAMAAAACAAAAIlNFU1NJT05JRD13cWU0NTR3cWUyZHMxNWRzNGRzYTVkczQAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABdIb3N0OiB3d3cua2FzcHJlc2t5LnRvcAAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tdXMAAAAKAAAAG0FjY2VwdC1FbmNvZGluZzogdGV4dC9wbGFpbgAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybHRyeXRyeWQAAAAHAAAAAAAAAAMAAAACAAAAI0pTRVNTSU9OPWRzZjVzZDRmNWU0NWZlNHM2NWQ0Zjg1NmU0AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCL2uyCgBaXs6e30UQosfCiuY572WULBB6w15R+RgtgVQECLrlAJ367eyfsuPN8HGXSFLXTZM+iqtI2ZmogMkqYlBk0sTUEQgiq8ghn4SpPd3HJGy9uCdM8Jp1Db2HTlyIPaq9X5IVul/xf/gz/pxryb+e0vuYYMdm7sP3F78pa3QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Login.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5.exe
"C:\Users\Admin\AppData\Local\Temp\416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5.exe"
1⤵
PID:2280
- C:\Users\Public\Runtime.exe
  C:\Users\Public\Runtime.exe
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Runtime.exe

Filesize
2.5MB

MD5
98efd3d462b642ebbd3e1a96e2ae07e9

SHA1
3f16dff9a0af5888b51ec36d6695157addbc129b

SHA256
416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5

SHA512
67389f7ef6db3ee81e6e80e8006a47b625769f5ac2b6a4c17cad0bf158aaebab323502ba980a380bff2e422982cf0efdd997bf5eba1f0b451ea27e0d41c00bd3

Download Submit
C:\Users\Public\Runtime.exe

Filesize
2.5MB

MD5
98efd3d462b642ebbd3e1a96e2ae07e9

SHA1
3f16dff9a0af5888b51ec36d6695157addbc129b

SHA256
416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5

SHA512
67389f7ef6db3ee81e6e80e8006a47b625769f5ac2b6a4c17cad0bf158aaebab323502ba980a380bff2e422982cf0efdd997bf5eba1f0b451ea27e0d41c00bd3

Download Submit
\Users\Public\Runtime.exe

Filesize
2.5MB

MD5
98efd3d462b642ebbd3e1a96e2ae07e9

SHA1
3f16dff9a0af5888b51ec36d6695157addbc129b

SHA256
416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5

SHA512
67389f7ef6db3ee81e6e80e8006a47b625769f5ac2b6a4c17cad0bf158aaebab323502ba980a380bff2e422982cf0efdd997bf5eba1f0b451ea27e0d41c00bd3

Download Submit
\Users\Public\Runtime.exe

Filesize
2.5MB

MD5
98efd3d462b642ebbd3e1a96e2ae07e9

SHA1
3f16dff9a0af5888b51ec36d6695157addbc129b

SHA256
416494460a5e7865dd24c2adc74b09f71955bdfce880e91b8774e9e35b6539b5

SHA512
67389f7ef6db3ee81e6e80e8006a47b625769f5ac2b6a4c17cad0bf158aaebab323502ba980a380bff2e422982cf0efdd997bf5eba1f0b451ea27e0d41c00bd3

Download Submit
memory/2280-1-0x0000000047E20000-0x0000000047E61000-memory.dmp

Filesize
260KB

Download
memory/2280-0-0x0000000047E70000-0x0000000047EBF000-memory.dmp

Filesize
316KB

Download
memory/2280-3-0x0000000047E20000-0x0000000047E61000-memory.dmp

Filesize
260KB

Download
memory/2740-13-0x0000000047EB0000-0x0000000047EFF000-memory.dmp

Filesize
316KB

Download
memory/2740-14-0x0000000047E20000-0x0000000047E61000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing