cobaltstrike | b6fbd300520e46f761b778cfc7595b43db385c79a1d7e4c4ce40e782f78a1c01

Analysis

max time kernel
156s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2023 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

李志-账号密码记录-解压密码-20231116.exe
Size

13.4MB
MD5

2c8fb8705dbce5899bf596163a9b077a
SHA1

7233623d12b409760193c0be6fbb4b330fc74788
SHA256

ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3
SHA512

22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40
SSDEEP

98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css

Attributes

access_type
512
beacon_type
2048
host
service-ho26i50l-1306669097.bj.apigw.tencentcs.com,/assets/code-3d7b701fc6eb.css
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5
port_number
443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAjLA3M+TgpQGM45UvhVjbFFxsA/w5baPizJxsN/CASGrNAwDXLRXCu1MHpgNtbbHqHlkqnavFZUT71H1FIeyPxKQz+0CqnrBJuFWXSGn0QTBxjYUUhx2aAcf7BqeLzQ1OgbOg/SahLDHGR6G5XRXQLVj8zXEUj/+3/46p0MqHXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.702512128e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/qiyi
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

win.exe

pid process

5008 win.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

李志-账号密码记录-解压密码-20231116.exe

pid process

3660 李志-账号密码记录-解压密码-20231116.exe

pid	process
5008	win.exe

pid	process
3660	李志-账号密码记录-解压密码-20231116.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

李志-账号密码记录-解压密码-20231116.execmd.exe

description	pid	process	target process
PID 3660 wrote to memory of 5012	3660	李志-账号密码记录-解压密码-20231116.exe	cmd.exe
PID 3660 wrote to memory of 5012	3660	李志-账号密码记录-解压密码-20231116.exe	cmd.exe
PID 5012 wrote to memory of 5008	5012	cmd.exe	win.exe
PID 5012 wrote to memory of 5008	5012	cmd.exe	win.exe

C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe
"C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c start C:\ProgramData\win.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\ProgramData\win.exe
    C:\ProgramData\win.exe
    3⤵
    - Executes dropped EXE
    PID:5008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\win.exe

Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
C:\ProgramData\win.exe

Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
memory/3660-4-0x00007FF7C36B0000-0x00007FF7C447A000-memory.dmp

Filesize
13.8MB

Download
memory/5008-6-0x000000B071850000-0x000000B071950000-memory.dmp

Filesize
1024KB

Download
memory/5008-7-0x00000243F19D0000-0x00000243F1A1F000-memory.dmp

Filesize
316KB

Download
memory/5008-8-0x00000243F15D0000-0x00000243F16DA000-memory.dmp

Filesize
1.0MB

Download
memory/5008-9-0x000000B071850000-0x000000B071950000-memory.dmp

Filesize
1024KB

Download
memory/5008-10-0x00000243F15D0000-0x00000243F16DA000-memory.dmp

Filesize
1.0MB

Download