cobaltstrike

General

Target

3f27e8254b53678af0b5863a9a54304f
Size

190KB
Sample

231219-rhe9yaefa3
MD5

3f27e8254b53678af0b5863a9a54304f
SHA1

3ed13e2d8891eb91c0fde26c780e7eea79358e11
SHA256

ed35fa431d116906fcdd3a2128301eb393cc25948d37be089142446cf93546ea
SHA512

3490f6d4e54112c860c4da05a34eaa8215c8c4f95c4830edb8d4d3c0e3abe0cc28f3299a9af0506c52ac317e0e78d66c1440320d95f5cae341b2974870d0dc6c
SSDEEP

3072:e/pd7wTQey1dfhI4Ih5+G3Q6694B92EWvPp/pHNvoVsej5Hb6zik:eRQ+fhIlT/04B985v2zbk

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://45.141.79.119:80/push

Attributes

access_type
512
host
45.141.79.119,/push
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNG0JqAnzpb7S5Hwz8H+vmtlTHr0slO36ILE4OTU/PEHfQY0mlzmwI1h1hlIBac+Ufp1CsQvLVJtvVQMzsbd9cl6OO25ynJ7udqPATFHIbr6ZwDcBeU5e08zkT5P6Ql+Sor3vzBMUnwkzgQIDZ782we0suwiduJ4PeTpRwTWWIxQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)
watermark
426352781

Targets

- Target
  
  3f27e8254b53678af0b5863a9a54304f
- Size
  
  190KB
- MD5
  
  3f27e8254b53678af0b5863a9a54304f
- SHA1
  
  3ed13e2d8891eb91c0fde26c780e7eea79358e11
- SHA256
  
  ed35fa431d116906fcdd3a2128301eb393cc25948d37be089142446cf93546ea
- SHA512
  
  3490f6d4e54112c860c4da05a34eaa8215c8c4f95c4830edb8d4d3c0e3abe0cc28f3299a9af0506c52ac317e0e78d66c1440320d95f5cae341b2974870d0dc6c
- SSDEEP
  
  3072:e/pd7wTQey1dfhI4Ih5+G3Q6694B92EWvPp/pHNvoVsej5Hb6zik:eRQ+fhIlT/04B985v2zbk
Score

10^/10

cobaltstrike 426352781 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2