cobaltstrike

General

Target

a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d
Size

842KB
Sample

231118-sjxq2sfg21
MD5

214fae5a642240511b66047cc90a63a5
SHA1

0c6f337c8419c09c1fb564a054777d94bcb5411c
SHA256

a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d
SHA512

c628d9a9e19ed1a19d84389cce3e08c70a3699457971c9c9d881ab99eeb228ec74a2eef9db5c7f66ee7242f397496757a1d9267fef7c21af29125a1c19f4efe3
SSDEEP

6144:BEWhZP2Ubecc830D+SOgxLQXI966PehLgOo7YOPi7tq+yOYP96pRBwq3gzUWsm9o:pZei9SOgxn9PBrtwFyyjf3gg9m9o

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes

user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://172.67.182.142:8443/messages/xV5GdE

http://104.21.35.254:8443/messages/xV5GdE

http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE

http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE

Attributes

access_type
512
beacon_type
2048
host
172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.092976896e+09
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/messages/96OpFu
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
watermark
100000

Targets

- Target
  
  a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d
- Size
  
  842KB
- MD5
  
  214fae5a642240511b66047cc90a63a5
- SHA1
  
  0c6f337c8419c09c1fb564a054777d94bcb5411c
- SHA256
  
  a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d
- SHA512
  
  c628d9a9e19ed1a19d84389cce3e08c70a3699457971c9c9d881ab99eeb228ec74a2eef9db5c7f66ee7242f397496757a1d9267fef7c21af29125a1c19f4efe3
- SSDEEP
  
  6144:BEWhZP2Ubecc830D+SOgxLQXI966PehLgOo7YOPi7tq+yOYP96pRBwq3gzUWsm9o:pZei9SOgxn9PBrtwFyyjf3gg9m9o
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2