cobaltstrike | 8a881d784c1144a9c144288ff98fd84db0165fbddffbda16da983eaad13ac2eb | Triage

Sharing

General

Target

8a881d784c1144a9c144288ff98fd84db0165fbddffbda16da983eaad13ac2eb
Size

363KB
Sample

231203-t2j4cadc6y
MD5

844cabf7df93b2dcc4578f6fec951dd9
SHA1

8be2362bafc4ebc6f5643a4b591b1b9e6ce7a2ed
SHA256

8a881d784c1144a9c144288ff98fd84db0165fbddffbda16da983eaad13ac2eb
SHA512

715b1f3e47c3afe44b22dd9ee9ee7c2b824c37343ca1633259fadbbde36f42cdb8ea974ee1cc575d61c34db3f8cd8c6606123564261de82220c019c18792914d
SSDEEP

6144:gexR0RqPHU959bQApoKAz3Snx/3mmDXFiIey6R4Kxg13T8j7GoKDPGTmmA:5uqPAoKAz3Sx/3dViIy4Kxg13T8j7Go/

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://121.40.254.24:8724/ptj

Attributes

access_type
512
host
121.40.254.24,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8724
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/TybzK6APgSkvv/ntRDuV6D06v8UwSiyjlGX3NrsSKfjmdbvCc0H0q4bTVOMKAMUq0XEU3xuMrcMYvg+eymca8YaTyV3vMD9CqUVKwuOKRLZyBeeQD+TdK0/tkAvuZGpzHycQLjIeE+y7JpHEz3gLwILb0icKAXAZfCwKPh7lpQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
watermark
391144938

Targets

- Target
  
  8a881d784c1144a9c144288ff98fd84db0165fbddffbda16da983eaad13ac2eb
- Size
  
  363KB
- MD5
  
  844cabf7df93b2dcc4578f6fec951dd9
- SHA1
  
  8be2362bafc4ebc6f5643a4b591b1b9e6ce7a2ed
- SHA256
  
  8a881d784c1144a9c144288ff98fd84db0165fbddffbda16da983eaad13ac2eb
- SHA512
  
  715b1f3e47c3afe44b22dd9ee9ee7c2b824c37343ca1633259fadbbde36f42cdb8ea974ee1cc575d61c34db3f8cd8c6606123564261de82220c019c18792914d
- SSDEEP
  
  6144:gexR0RqPHU959bQApoKAz3Snx/3mmDXFiIey6R4Kxg13T8j7GoKDPGTmmA:5uqPAoKAz3Sx/3dViIy4Kxg13T8j7Go/
Score

10^/10

cobaltstrike 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike391144938backdoortrojan

behavioral2

cobaltstrike391144938backdoortrojan