Overview

overview

10

Static

static

1

ba41f89597...72.exe

windows7-x64

10

ba41f89597...72.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972

  • Size

    631KB

  • Sample

    231116-n61n1ada3x

  • MD5

    541e27b07599049d7cc41d475da51516

  • SHA1

    f3f165f3a8c8d95c71b20f25d32aa034b54345ad

  • SHA256

    ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972

  • SHA512

    f26eaf65479e36b712f2ad7eeb80c785a0aed46758a890d84d6742f5083f930ff6178f656de998197582929c074025a25e7965c9b2bae49fad40441e9190dff6

  • SSDEEP

    6144:WbdZngUq19UR+8+TbOv5LuyG1TjTYOPi706+qWQhteR5suavI5pkGo:4l+1CwPOvZOXt5VqDk5CITkGo

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes
  • user_agent

    Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://172.67.182.142:8443/messages/xV5GdE

http://104.21.35.254:8443/messages/xV5GdE

http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE

http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2560

  • polling_time

    10000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\esentutl.exe

  • sc_process64

    %windir%\sysnative\esentutl.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.092976896e+09

  • unknown2

    AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /messages/96OpFu

  • user_agent

    Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

  • watermark

    100000

Targets

    • Target

      ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972

    • Size

      631KB

    • MD5

      541e27b07599049d7cc41d475da51516

    • SHA1

      f3f165f3a8c8d95c71b20f25d32aa034b54345ad

    • SHA256

      ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972

    • SHA512

      f26eaf65479e36b712f2ad7eeb80c785a0aed46758a890d84d6742f5083f930ff6178f656de998197582929c074025a25e7965c9b2bae49fad40441e9190dff6

    • SSDEEP

      6144:WbdZngUq19UR+8+TbOv5LuyG1TjTYOPi706+qWQhteR5suavI5pkGo:4l+1CwPOvZOXt5VqDk5CITkGo

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks