cobaltstrike | 5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2023 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
Size

6.8MB
MD5

85ca7d27b3fc3707b894a28ffb9ed0d3
SHA1

672984e11a0a580ab575a5d9d26a3f00734cf105
SHA256

5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff
SHA512

4ef02ddb87d97e43ed20894c1c5b20ad9238f54adcba87d2fa841b54b2707dc1ab28b190a2ed1fe0528dd9c42117b66b3186d361097d946ba878f1c146f3d5d5
SSDEEP

196608:jJnVhmxbAQveItwq+ZkiKDIECx0vFFGL:JVMxvxaq+ZkFJCx09F

Score

10^/10

cobaltstrike 0 1234567890 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.144.219.118:6767/9Dnr

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

1234567890

http://192.144.219.118:6767/IE9CompatViewList.xml

Attributes

access_type
512
host
192.144.219.118,/IE9CompatViewList.xml
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6767
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKVNvPHE9juiYlEdnkb93lgmvy+njBEhJZ3NMWKoYR8+aIzbmhA16jODY3BTIIb93qdVmy7NUa1QPEv4a+plPppBfQ2D2UXncGbE6GrLGkHLlaCckL8FHzqjjTWLmEpMpPzDvrxtIrNPM9dfTOszDWrSveFD0K8yo3ZHM8sEKk6wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
watermark
1234567890

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

Processes:

5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe

pid	process
4028	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
4028	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
4028	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
4028	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
4028	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe

description	pid	process	target process
PID 964 wrote to memory of 4028	964	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
PID 964 wrote to memory of 4028	964	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe	5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe

C:\Users\Admin\AppData\Local\Temp\5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
"C:\Users\Admin\AppData\Local\Temp\5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe
"C:\Users\Admin\AppData\Local\Temp\5670d0cb91ffee738183f20a607adb402783c34ba255b25f26790c9ee21d68ff.exe"
2⤵
- Loads dropped DLL
PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9642\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\base_library.zip
Filesize
1.0MB

MD5
042faa3fa4f2b73f13a83a8a938eea2b

SHA1
75927105f4fbbbfddabeac44b06146ee01576fc7

SHA256
8759d64745184bef9febec37ac59cc3359e487ea044d500c12d9cdc5e0c9a311

SHA512
e84f38f64065ad6f37d8cfca5505ae5532eb7a30cc2b6971040740e35e9061cce3192c7efb2ae3f1ef3482d29246ba4d1d25f0a5e527b7cec6b197df5fab967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\python310.dll
Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\python310.dll
Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\ucrtbase.dll
Filesize
1.1MB

MD5
ef3bca3f5e7be6316c33668b7d1489bc

SHA1
775f2eb20b607cdf6ed7d87931a5fe988078b3ec

SHA256
9a2fe283527a861a1ffbde865ca150452d9a116f06134873468251e7b3a2b740

SHA512
afdc5cef11e96483617af9d72127a6d1c32ccf774f8b76988eb89018155334fa56bf388cc8c1db31c8e37b577900efd058f066d26d7ca0add740d99d00c9f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9642\ucrtbase.dll
Filesize
1.1MB

MD5
ef3bca3f5e7be6316c33668b7d1489bc

SHA1
775f2eb20b607cdf6ed7d87931a5fe988078b3ec

SHA256
9a2fe283527a861a1ffbde865ca150452d9a116f06134873468251e7b3a2b740

SHA512
afdc5cef11e96483617af9d72127a6d1c32ccf774f8b76988eb89018155334fa56bf388cc8c1db31c8e37b577900efd058f066d26d7ca0add740d99d00c9f157

Download Submit
memory/4028-65-0x000001BC5AC30000-0x000001BC5AC31000-memory.dmp

Filesize
4KB

Download
memory/4028-66-0x000001BC5B980000-0x000001BC5BD80000-memory.dmp

Filesize
4.0MB

Download
memory/4028-67-0x000001BC5BD80000-0x000001BC5BDCE000-memory.dmp

Filesize
312KB

Download
memory/4028-68-0x000001BC5BD80000-0x000001BC5BDCE000-memory.dmp

Filesize
312KB

Download