cobaltstrike | 02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea

General

Target

02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe
Size

485KB
MD5

a18654d481180095470fb39473858b00
SHA1

89e256821dc92c1cad75657ff5775b36df9e620c
SHA256

02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea
SHA512

14948a34adfed4e99f6005d2cec117fe1a491b6fb18a01c96f68d53960afd9ed607cc68535e7ae0f451f96833b4908118693ce1bd24ee75b8acfbc7011f5e41b
SSDEEP

12288:Q1ujiIigBhMI23nJMBevMpDeF79QqZcI8mVKYYe5y:HdPJ23JPvMpiFfL8mQYy

Score

10^/10

cobaltstrike 391144938 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://192.168.229.128:80/dot.gif

Attributes

access_type
512
host
192.168.229.128,/dot.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCau7IWRfcNRveeGt2Xz6wW7fB0u4jX04PCoASbhXvyYBNFXd2vCJo2oqNDu9YMezfJ5wt0vabVHTAUtzStETBZzqJM6DO1CrLLHIe6Pgcur6izt4mf79Dnse5eABSO3zj56hAVqpg73GnX5CaTzQsbJKxv8Yo7gwOCN7Gsg+iskwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENCA)
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2928 created 3460	2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe	41

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2928-0-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral2/memory/2928-19-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral2/memory/2928-25-0x0000000000400000-0x000000000053D000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe
2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2108	2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe	103
PID 2928 wrote to memory of 2108	2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe	103
PID 2928 wrote to memory of 2108	2928	02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe	103

C:\Users\Admin\AppData\Local\Temp\02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe
"C:\Users\Admin\AppData\Local\Temp\02d0c77a7d4d3d68642195cb0f0184201eba8989eb8785c1b472d9f32c1800ea.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-24-0x0000000001290000-0x00000000012D4000-memory.dmp

Filesize
272KB

Download
memory/2108-26-0x0000000001670000-0x00000000016C2000-memory.dmp

Filesize
328KB

Download
memory/2108-27-0x00000000035F0000-0x00000000035F2000-memory.dmp

Filesize
8KB

Download
memory/2108-28-0x0000000001670000-0x00000000016C2000-memory.dmp

Filesize
328KB

Download
memory/2928-0-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2928-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2928-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2928-19-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2928-25-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing