cobaltstrike | c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb

Analysis

max time kernel
132s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll
Size

93KB
MD5

b6fb8b50cbfa81b70b4657069710c226
SHA1

5679e8026721e338612ac5d987a7739e5673177d
SHA256

c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
SHA512

a15a4d45917232900bd5be0ddf9d77e7870d0d9f4b1df0069bf34289731ed83a826f54b377765e7b98c72b76ec29780698ac1deac94bdcde1dbf8bacef20f511
SSDEEP

1536:uYhEyx42txwW3Te8eUaOBfRxMTr0ylZVEw9YDC7i50OD:u4Rxwq6XUaOBfRxMTIUVEwee77O

Score

10^/10

cobaltstrike 20410727 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/bootstrap-2.min.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)

Extracted

Family

cobaltstrike

Botnet

20410727

http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/api/x

Attributes

access_type
512
beacon_type
2048
host
service-a0y8baw1-1319935181.bj.apigw.tencentcs.com,/api/x
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
12800
polling_time
30000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTWV74mUQ+mRv5G12a9zODYqH4hd3vN8wA5KM1K3qxHkx8PMfWuxuzFPJTbTmmP/psUSaIxASMDmgFAenz3/yOWa2GZRhGhYsxPzqZ3I9pFkF+QUzwhc8fWqWwOJv66NmlHQGJLc2kG3H4GT15QDwwz2TZ8NVMfeDzPuVcpJGwCwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/y
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
watermark
20410727

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2144 set thread context of 2288 2144 rundll32.exe conhost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2144 rundll32.exe

description	pid	process	target process
PID 2144 set thread context of 2288	2144	rundll32.exe	conhost.exe

pid	process
2144	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2144 wrote to memory of 2288	2144	rundll32.exe	conhost.exe
PID 2144 wrote to memory of 2288	2144	rundll32.exe	conhost.exe
PID 2144 wrote to memory of 2288	2144	rundll32.exe	conhost.exe
PID 2144 wrote to memory of 2288	2144	rundll32.exe	conhost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-0-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2288-1-0x0000000002870000-0x0000000002C70000-memory.dmp

Filesize
4.0MB

Download
memory/2288-2-0x0000000001F90000-0x0000000001FDE000-memory.dmp

Filesize
312KB

Download
memory/2288-3-0x0000000001F90000-0x0000000001FDE000-memory.dmp

Filesize
312KB

Download