cobaltstrike

General

Target

13c27ea6ba97123ffc3cb0a55bae4b2b39a7b3ad3847dfeefe3a742ff76e4a6e
Size

210KB
Sample

231214-m3wp7sdbar
MD5

14d636b4ae9a5d608cd3172eb2f6705b
SHA1

ef0e6a3c2b1f72d3a8a1c64c6ed92797ffb9b023
SHA256

13c27ea6ba97123ffc3cb0a55bae4b2b39a7b3ad3847dfeefe3a742ff76e4a6e
SHA512

3c41aff1da38dae9ceb784b154dca430f7aeaa888b978dffc7c8d27d96c0637976654b4f3f285b37c2d866342552334d3032865f0c6c068a6afd67af6cc9f575
SSDEEP

3072:YnT2RRXuwcN3OQX0GIGATr9VV2ILe126JyTuBdjdUk40vGcrZQRjc:YwXupN1gBbRLDTuLjrvp

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://161.129.34.132:80/expresscart/list

Attributes

access_type
512
host
161.129.34.132,/expresscart/list
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmRoZ2F0ZS5jb20AAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFlNlYy1GZXRjaC1EZXN0OiBpZnJhbWUAAAAKAAAAGFNlYy1GZXRjaC1Nb2RlOiBuYXZpZ2F0ZQAAAAoAAAAbU2VjLUZldGNoLVNpdGU6IHNhbWUtb3JpZ2luAAAABwAAAAAAAAAPAAAADQAAAAIAAAAEdmlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAsQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9dXRmLTgAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAQAAAAHUhvc3Q6IHNob3BwaW5nY2FydC5kaGdhdGUuY29tAAAABwAAAAAAAAAFAAAABmNsaWVudAAAAAcAAAABAAAADwAAAA0AAAACAAAACXsiY2FydElkIgAAAAEAAAAEOiIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
11264
polling_time
5954
port_number
80
sc_process32
%windir%\syswow64\getmac.exe
sc_process64
%windir%\sysnative\powercfg.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYGiQA4NH4xzGSxLy66R8cfPYkaBuWdxeiElgzgD6ZXQTq55lsYbxiHdHG33Szimd04DbL2hSSPrjnQOkP8PBwK8+rEZsLsGXxLhgtHHIBImyx23WFjlD4CHsv9mY4HGRBJ4x6X9KGPYqbQv52Y5G7vyRKFuiQDLRkbP5du/jxlQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.281758464e+09
unknown2
AAAABAAAAAEAAAkAAAAAAgAAB/AAAAADAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/checkout/cartSplit/getTotalPrice.do
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
watermark
1359593325

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  13c27ea6ba97123ffc3cb0a55bae4b2b39a7b3ad3847dfeefe3a742ff76e4a6e
- Size
  
  210KB
- MD5
  
  14d636b4ae9a5d608cd3172eb2f6705b
- SHA1
  
  ef0e6a3c2b1f72d3a8a1c64c6ed92797ffb9b023
- SHA256
  
  13c27ea6ba97123ffc3cb0a55bae4b2b39a7b3ad3847dfeefe3a742ff76e4a6e
- SHA512
  
  3c41aff1da38dae9ceb784b154dca430f7aeaa888b978dffc7c8d27d96c0637976654b4f3f285b37c2d866342552334d3032865f0c6c068a6afd67af6cc9f575
- SSDEEP
  
  3072:YnT2RRXuwcN3OQX0GIGATr9VV2ILe126JyTuBdjdUk40vGcrZQRjc:YwXupN1gBbRLDTuLjrvp
Score

10^/10

cobaltstrike 0 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2