cobaltstrike | 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
Size

4.4MB
MD5

32d056a2aa49444e85234ed0fab81cdb
SHA1

c9e154ce4f6d12980d1aa4d7ba7e3b447bfa6626
SHA256

335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
SHA512

69e24b858b88abeb2ad800ef916d198c7bb9d2ae2cbb398851ae2ae2316923a93e7f50ca7a73dcefba5da932c8c98b9780876b7e5bd0862c6058204d1bd8cc84
SSDEEP

98304:lR+MuHOJeihJ7GNUOiGyUu+mkZjkqaJlb2WPspkFO+/W83:lmHm7oFfTu+DZgtOWUpGt

Score

10^/10

cobaltstrike 100000 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://121.36.230.220:1433/mp/getapp/msgext

Attributes

access_type
512
host
121.36.230.220,/mp/getapp/msgext
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
5000
port_number
1433
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFuKYQt1zNXFqCdxN+bU8dNSNp4sOpNTjHqGGpTaKDTeq1XYdsr0D/D+jxTBDSbrZNRFlpYch0PII1QMy1ptYfAeX5tblsjgLIkuPE6gPNc6XzoXkJe3kPsP00ZUy18cWH+cmm8XMoEf5Vul5KRg/hXvsr5L5vKzVUi1py/JDGowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.532302592e+09
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/mp/wapcommon/report
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

Processes:

335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe

pid	process
2944	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
2944	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
2944	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
2944	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll	upx
behavioral2/memory/2944-16-0x00007FF88F210000-0x00007FF88F663000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_ctypes.pyd	upx
behavioral2/memory/2944-21-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libffi-7.dll	upx
behavioral2/memory/2944-31-0x00007FF8A4F20000-0x00007FF8A4F2F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32602\select.pyd	upx
behavioral2/memory/2944-33-0x00007FF88F210000-0x00007FF88F663000-memory.dmp	upx
behavioral2/memory/2944-34-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp	upx

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe

description	pid	process	target process
PID 3260 wrote to memory of 2944	3260	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
PID 3260 wrote to memory of 2944	3260	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe	335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe

C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
"C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
"C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"
2⤵
- Loads dropped DLL
PID:2944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32602\VCRUNTIME140.dll
Filesize
87KB

MD5
23105a395b807d9335219958b4d0cec1

SHA1
fb60050d82e3bc1be3b10877b9355f5d48e04854

SHA256
61832990e364dca5bfa2c61d930f00acaae6d1aaa3130392403455ae9a1125a5

SHA512
ef91d19e632d0d146fa68d52beb04ffcb9b972079cd9c255f44ea5201637a8b00907ec8e3358c7b5cc37338470e29e43dbaec7ddc0562810b49ab2e8115cc805

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_bz2.pyd
Filesize
45KB

MD5
219a8451c427fd23cfa262faa6041cf3

SHA1
6482e64500876c53deab98ca99864dd193e61a48

SHA256
b91dd44566de3e84f0ecbc37166a21116be086ad7e93d9dbffa15c6f0218b42a

SHA512
6d3c18b98cce0286ee5a4acce88a3647edac782872f10b41e70c046ef4743993eaa6829550eed02de6e72286f25b08b7e9c97287bc1711bb305f8e16912d13ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_ctypes.pyd
Filesize
56KB

MD5
0c573f9d08786016219e33776d1260ac

SHA1
c8f6b6abb6a9a519a008853ddf10742ab2f83985

SHA256
f8a3ffe9ba2a26be3e0b55eab3e5bf6881ddb1b61bed09aa40920d4b0bf28c8d

SHA512
ae12247280f8edd2835d7db698ec3d4104e2cc7b006c7403289872ab95e7f47ac49058e8b1159310eb579eee61ac95b06301f8d4007ffad3ff2dfbcf7bbcd206

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_hashlib.pyd
Filesize
27KB

MD5
0b343828bf74e898f8c38331f4395071

SHA1
80425be1a4ac454073b1e906783c61cd51d90a15

SHA256
c34421146b74b04420f1f046673742c60f9ff106c97b580e297ce107687b182c

SHA512
9f9efffed9ff7044ef6935e8ec5e077a89fe5c4c581f93d7b838cb6ad90ff727c258e9fca7a1b143be2ba034a43f2329d3c77b045a2af324b49f7e4115093e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_lzma.pyd
Filesize
81KB

MD5
50d602c2cc0cf817c39c63f80bf85d02

SHA1
5b8beba0bb5392d50c3a4b289d9f8321b3fb5c46

SHA256
9ed00ec681e1da98288fc35940b81bffd00e67b5542da85ebfe99e2f3df392c1

SHA512
851102810f8037aeb38bd32cfc8cb801c11faca2629f46b4f13bdda41dbc84ba5ef3a2cc0dca5f3b00156b8aea46da0281ff4c8d61e381eb188e6d100a1ea2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_socket.pyd
Filesize
39KB

MD5
69a3e66b0b1ea8d3c6a8735dbee1dd43

SHA1
0ce43638ef48a6463bb9b476e7aa8be116808357

SHA256
6cf09c08586954315ecb17bd98a2c4a10ddbd4c57ec16449c298619f1470e56b

SHA512
7acc80bb3081bd52823b9100e09a60540a988bb4171ca72e8cbd782a7d6b8b672340a80a33addb7eaf34d5437e1e70c4f9a5dc81cc4980fde2f7c379483c6992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\base_library.zip
Filesize
333KB

MD5
1128fea6907f538729731739de523169

SHA1
ca92aeaa3f39a0fc215e5463b7dc41ce5f40313d

SHA256
33c8a83d6f686dc9821d33e80f84e552824865be3f369b3c68c50b8acef05e77

SHA512
f0d3236352cd7f85ea8ea13db882dbd46323b09d3de4ab356a97068ee69f1b999224360b80504f704d0ffbb532f342d45b60d8316095a58a18c4c5b0e4c0e6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libcrypto-1_1.dll
Filesize
193KB

MD5
0a4467975594e2c1269fb16bcf6e807e

SHA1
21fb765f69cde28cb96da8c1e5b5439de734d48f

SHA256
c3f84df38162aef9147ac8ac6e2a57eb731139c41ba0d607218e081ec456f160

SHA512
0e96bd53b76e91f33643f9c82e4cc20e9bc1cd2ffa077f92293babad0165953f7079b03a5cfa34752bda6779b99bb81fd5e7b2d483892a6a8e266eb335610574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libffi-7.dll
Filesize
23KB

MD5
c8bce736d2b0dd3620bcdb85e99d91a1

SHA1
37fae34a4d0c0874a484e117d558209cedceb17c

SHA256
fea8a1318c8b8d442ad2773a8ef84e0acac1f837326e8ded6636c4458f2ee399

SHA512
39b3eb8c15d921736ce23d7630ff6b1242bf6ec76457f50e648470059ff453a98ded2a25dfe743b7ba910ab8c0dfca478f8a7e00989a5c12035283f28022d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll
Filesize
617KB

MD5
f18bafd7d7aa37336a8e19987fdb96a2

SHA1
6ce6caaf3e094db57c49c9e32722340ad37cd172

SHA256
e0237a0f50f5e90d49f52ac069a4075b3ee59061cbe0be5008fb38ff888b8728

SHA512
db67bdbbd2316b9b2bff8cf00f33c4d56597d342a0a05431903c3f2c33ed8609ee9680a5317689cbe558a1934129a9e1dd1fe0bbb70bd8dad67503274c0e86f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll
Filesize
534KB

MD5
48a5212a2341e4368505b59d079a858d

SHA1
cf2afc9854f181cdddcad33da533bb1d5a851e77

SHA256
8bdea73c42f67b64bfa886bcdb67d1f9ef9615e7c346575ce5b11e8b11b56287

SHA512
04665da167af8adeeb46583203cee3f819a4dcd55c385e8f8bcb0e889c9d64d104b81c67b17c4c2e788bc342142bb3b4e6f294978abf0b787a45238186603e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\select.pyd
Filesize
21KB

MD5
c8b0bbe4a7a935b8ff1ce780b246494e

SHA1
7d337a41556457d1a33978fe50ecefe9f458e72c

SHA256
e2c0cc0cd9f86f9c7f949b3f77a41d8c8c19e55ce3a875d2513f33e71c77013e

SHA512
62c11736c461ce4e308a64cdf50ecc8e7c0fa7a5673f9cb0b57596ae11de480cdb3d2b5dc54a839a4f2ec2bfec9d0e26583af48cbc4f7535c1943b25ac45e749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32602\unicodedata.pyd
Filesize
257KB

MD5
e4d602d01638ce6571b61a4e6fc590f4

SHA1
bd950b2a26c97145d3e4751f0766a34294dfce8a

SHA256
f95a1a557e14d1de6dc8cee3de5bc5a4fb01bb0e8481b612fe886104e2f42731

SHA512
abd0f5db2d554c00edc1bd2e1c6a9ab54de71e47a6c96bd2c2b2571a1e53652543f95cb65a40997679885c5ff66af6f6b5ed33cdab8af33ce7b86fe28de71109

Download Submit
memory/2944-31-0x00007FF8A4F20000-0x00007FF8A4F2F000-memory.dmp

Filesize
60KB

Download
memory/2944-16-0x00007FF88F210000-0x00007FF88F663000-memory.dmp

Filesize
4.3MB

Download
memory/2944-30-0x0000026ABE1A0000-0x0000026ABE1E1000-memory.dmp

Filesize
260KB

Download
memory/2944-32-0x0000026ABE1F0000-0x0000026ABE662000-memory.dmp

Filesize
4.4MB

Download
memory/2944-21-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp

Filesize
152KB

Download
memory/2944-33-0x00007FF88F210000-0x00007FF88F663000-memory.dmp

Filesize
4.3MB

Download
memory/2944-34-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp

Filesize
152KB

Download