cobaltstrike | e0b2d7778010d7131444228e96cf7d84176264d45cde990963dce6a24f17b522

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53568bce616590a84be3d29cb6c8d6ab.exe
Size

3.7MB
MD5

53568bce616590a84be3d29cb6c8d6ab
SHA1

cc67a3f4a8912b33e31848cfa010c2f1f38b23af
SHA256

e0b2d7778010d7131444228e96cf7d84176264d45cde990963dce6a24f17b522
SHA512

89aa601a075506ec4e454f8d2dc92730b808f23ffcfa9ce82f921bceefd5d9b80eac0068f5431147cfdfc572cb2268bfeee4454ca2fc053af769e1cde059cb1f
SSDEEP

98304:dekYINu4u6Q9eTTbW0mK2ZvfujtiJVPOOwexy2sovk/a:oIofm2Zkm5E2sovk/

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.126.130:808/5jPn

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 3 IoCs

pid	Process
1656	53568bce616590a84be3d29cb6c8d6ab.exe
1656	53568bce616590a84be3d29cb6c8d6ab.exe
1656	53568bce616590a84be3d29cb6c8d6ab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1656	2396	53568bce616590a84be3d29cb6c8d6ab.exe	28
PID 2396 wrote to memory of 1656	2396	53568bce616590a84be3d29cb6c8d6ab.exe	28
PID 2396 wrote to memory of 1656	2396	53568bce616590a84be3d29cb6c8d6ab.exe	28

C:\Users\Admin\AppData\Local\Temp\53568bce616590a84be3d29cb6c8d6ab.exe
"C:\Users\Admin\AppData\Local\Temp\53568bce616590a84be3d29cb6c8d6ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\53568bce616590a84be3d29cb6c8d6ab.exe
  "C:\Users\Admin\AppData\Local\Temp\53568bce616590a84be3d29cb6c8d6ab.exe"
  2⤵
  - Loads dropped DLL
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23962\MSVCR90.dll

Filesize
627KB

MD5
46cc8d6be2f69604b07a3307a8a5d0b0

SHA1
16f0a8aea5a7ad5cbbc23b901e167db99e28dcad

SHA256
d4228163ebe222d6b613bc021b56356f87c094e2a0cc601ecb764a24a0eddeda

SHA512
e1cbbc47d086588831b46a084fa72940324f0907017458ad9659644ab875bfb45dba838ae6639743901067c2798dcee221d52e90ea85e2b09270c3458d4ba226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23962\_ctypes.pyd

Filesize
119KB

MD5
f5ec0b24dfc7952241c7a86abfb61455

SHA1
84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

SHA256
6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

SHA512
91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23962\payload.exe.manifest

Filesize
1KB

MD5
378be9f7a2759c42ad1ae8d85b5b8808

SHA1
5e47069dbb56dcef6e1ba8661c18e76b10bd360f

SHA256
fca39507650a96dba22eaf43973972c305b1412dfb9723556ff24dae8f59c54a

SHA512
dc0efbf5ef53a6c430e0abeb328f36b6db16632bd370a259eccad96c8a13f4bac6f1b91d8d6f679765df8d06bc7793ad9cfd2a07f373d9edd340c95b1d783ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23962\python27.dll

Filesize
3.2MB

MD5
692d1c14a49c6dd0c2403d8d6e31eeb2

SHA1
e26b446d7c714bf656f427b86ba477f3ecfd9e68

SHA256
e23b4e02d0fa7fc40e5fa06a2a4d23204c0e6e947b44ba209d8bad6715915b30

SHA512
43b7472b7c42e01d088612d58336469f640dca05327e5b0ac6502858ee19509598c2b4cffb1ee365e9ed850f00fe68e602ecb864518c65a2410f75c742f8d7ce

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23962\python27.dll

Filesize
2.8MB

MD5
888ff51875a13df9a7ab1f71044c989d

SHA1
093bf6aa4a19a9c80f60917a88072c56af52be77

SHA256
d949e67a1cea81afbb4b979a50a196684abd4f7dc472f8a711a10ad97297d366

SHA512
93d27ff7c09a5047955c20f0324c51561fc54350e155082039f8d01d6c7af32abdc466b88dc5d8ea6f80449d8a4441134b32f885ab95ffac93e34476c5918547

Download Submit
memory/1656-18-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1656-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads