cobaltstrike | b191737e3e70a6430d6827bc10fe55bd

Sharing

Copy URL Twitter E-mail

General

Target

b191737e3e70a6430d6827bc10fe55bd
Size

221KB
MD5

b191737e3e70a6430d6827bc10fe55bd
SHA1

6b8fa51a117196b6931e3f4c3f866d7d3bd1cd94
SHA256

72e8bc12f384636fc86ced4c1d53f584e9ad4b6acd29748a59845e9cb631ff60
SHA512

f52fcc19202a718a8c6f15e6c6cc90e6dea916906de5902c7206448a68c9d3642a42413ad4aac1c1f2e9ed5d9e22fa96c290bd746471e5a0a3b0ef9bc8d604a2
SSDEEP

6144:B3GY5Xkg8xJ2ujEHt2GQjomoE6otd9d+9HkNgnT8RyOch:dkxJxjEQG3mhd9d+9WQV

Score

10^/10

2113494451 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

2113494451

http://www.bankrate.com:443/Collector/2.0/settings/

Attributes

access_type
512
beacon_type
2048
host
www.bankrate.com,/Collector/2.0/settings/
http_header1
AAAACgAAAAxBY2NlcHQ6IGpzb24AAAAQAAAAL0hvc3Q6IGFxdWF5b2dhb25saW5lLmNvbS5nbG9iYWwucHJvZC5mYXN0bHkubmV0AAAACgAAACZSZWZlcmVyOiBodHRwczovL3RlYW1zLm1pY3Jvc29mdC5jb20vXwAAAAoAAAA1eC1tcy1zZXNzaW9uLWlkOiBmNzNjMzE4Ni0wNTdhLWQ5OTYtM2I2My1iNmU1ZGU2ZWYyMGMAAAAKAAAAGXgtbXMtY2xpZW50LXR5cGU6IGRlc2t0b3AAAAAKAAAAKHgtbXgtY2xpZW50LXZlcnNpb246IDI3LzEuMC4wLjIwMjEwMjA0MTAAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAI09yaWdpbjogaHR0cHM6Ly90ZWFtcy5taWNyb3NvZnQuY29tAAAACQAAAAhxc3A9dHJ1ZQAAAAkAAAARY2xpZW50LWlkPU5PX0FVVEgAAAAJAAAAHXNkay12ZXJzaW9uPUFDVC1XZWItSlMtMi41LjAmAAAABwAAAAAAAAANAAAABQAAAAZldmVudHMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAxBY2NlcHQ6IGpzb24AAAAQAAAAL0hvc3Q6IGFxdWF5b2dhb25saW5lLmNvbS5nbG9iYWwucHJvZC5mYXN0bHkubmV0AAAACgAAACZSZWZlcmVyOiBodHRwczovL3RlYW1zLm1pY3Jvc29mdC5jb20vXwAAAAoAAABFeC1tcy1xdWVyeS1wYXJhbXM6IGN1cnNvcj0xNjEzNTU0Mzg1JmVwZnM9c3J0JnNjYT01JmFjdGl2ZVRpbWVvdXQ9MTM1AAAACgAAABl4LW1zLWNsaWVudC10eXBlOiBkZXNrdG9wAAAACgAAACh4LW14LWNsaWVudC12ZXJzaW9uOiAyNy8xLjAuMC4yMDIxMDIwNDEwAAAACgAAACJBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIGJyAAAACgAAAB9PcmlnaW46IGh0dHBzOi8vdGVhbXMubWljcm9zb2Z0AAAABwAAAAEAAAADAAAAAgAAABVza3lwZXRva2VuPWV5SmhiR2NpT2kAAAAGAAAADkF1dGhlbnRpY2F0aW9uAAAABwAAAAAAAAAIAAAAAgAAABhmNzNjMzE4Ni0wNTdhLWQ5OTYtM2I2My0AAAAGAAAAD3gtbXMtc2Vzc2lvbi1pZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
10496
polling_time
10000
port_number
443
sc_process32
%windir%\syswow64\logman.exe
sc_process64
%windir%\sysnative\logman.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnNfstn/5qmvXWQ2XI0ZGgRN476WLnejJ8ozhtm8E4w9OD5zHTkOSjiuQBovCrDjrv6Fyixj/wHne3i35QEVW2scJ+9AV8rtE0xX+Gd2fPaTtMNel995XMgy0DOOUAaCitcnRSHk0QKd5TEdrJ9s93jMgOgt6P30nVV6OQydtBywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.952798208e+09
unknown2
AAAABAAAAAEAAAAuAAAAAgAAAIIAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/users/8:orgid:b1a28-a1c3-3d54-4eb01adb1/endpoints/events/poll
user_agent
Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.10827; Pro)
watermark
2113494451

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b191737e3e70a6430d6827bc10fe55bd

Files

b191737e3e70a6430d6827bc10fe55bd
.exe windows:4 windows x86 arch:x86

829da329ce140d873b4a8bde2cbfaa7e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CreateThread
DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
VirtualQuery

msvcrt

__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_iob
_lock
_onexit
_unlock
_winmajor
abort
calloc
exit
fprintf
free
fwrite
malloc
memcpy
signal
strlen
strncmp
vfprintf

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ukec
Size: 207KB - Virtual size: 207KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

829da329ce140d873b4a8bde2cbfaa7e

Headers

File Characteristics

Imports

kernel32

msvcrt

Sections

.text Size: 7KB - Virtual size: 6KB

.data Size: 2KB - Virtual size: 1KB

.rdata Size: 1024B - Virtual size: 720B

.bss Size: - Virtual size: 1KB

.idata Size: 2KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 32B

.ukec Size: 207KB - Virtual size: 207KB

.text
Size: 7KB - Virtual size: 6KB

.data
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 720B

.bss
Size: - Virtual size: 1KB

.idata
Size: 2KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 32B

.ukec
Size: 207KB - Virtual size: 207KB