cobaltstrike | 2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e

General

Target

2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe
Size

233KB
MD5

9cdcbd88913250c12039ec48304d33f1
SHA1

636b18c236d0942f7f7bf01361644975e4fc3f5c
SHA256

2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e
SHA512

e4c11d4658f52f3c15746f4e2c867b5028c8e01664754f4402d992d38f299d4802781ff8703c0d846aaf17b014db3b7a7484aa6d5d0a95d2ea3869a43fbd378a
SSDEEP

6144:XdohHGQu/5PTjz/ZvzRvzwhrZqGuwblehMrkpQVKSV:toxGNyhQ7Gkp

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://yj233.eu.org:8443/68D2NOF2

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12 Host: yj233.eu.org

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://yj233.eu.org:8443/milu_image/

Attributes

access_type
512
beacon_type
2048
host
yj233.eu.org,/milu_image/
http_header1
AAAACgAAAEhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKmw7cT0wLjgAAAAQAAAAEkhvc3Q6IHlqMjMzLmV1Lm9yZwAAAAoAAAAdUmVmZXJlcjogaHR0cDovL3d3dy5iYWlkdS5jb20AAAAKAAAAEFByYWdtYTogbm8tY2FjaGUAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAABwAAAAAAAAAIAAAAAQAAAAMuanMAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAABAAAAASSG9zdDogeWoyMzMuZXUub3JnAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJhaWR1LmNvbQAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAsAAAABAAAAAy5qcwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXzVfWel/90Fn/Eccx/b7r8AU8twZTFIbvbg7cILGfanFO7Y4sarIf3myiYyHa9Y+uru20qMhPxXUpJju1PM92gmj6ruHpn8b1iUIRbCXbTNOKHlZv3W9H7HQCs/ax3GdB/KFMNRrpspFbtXjkKbMai60qngbYIL9FkU8zTLZOIwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/milu_email/
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe

pid	process
3976	2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe
3976	2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE
Token: SeShutdownPrivilege	3592	Explorer.EXE
Token: SeCreatePagefilePrivilege	3592	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

Processes:

2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe

description	pid	process	target process
PID 3976 wrote to memory of 3592	3976	2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Local\Temp\2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe
"C:\Users\Admin\AppData\Local\Temp\2aee2a36ad7f4a9ad5e7b0e719123426181cad19a993ae68e661aa1104670a6e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3592-0-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3592-1-0x000000000B830000-0x000000000BC30000-memory.dmp

Filesize
4.0MB

Download
memory/3592-2-0x00000000085F0000-0x000000000863F000-memory.dmp

Filesize
316KB

Download
memory/3592-3-0x00000000085F0000-0x000000000863F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads