cobaltstrike | c1898219b1796112547649fa7c1b623fb8fdac78b17860175ddd504960de80f5

General

Target

AliyunScan.exe
Size

778KB
MD5

7f7b9a45ca794a926be38a1b76a2ddb4
SHA1

28bd7770545f3c9bf90df0bce69ac66f946f20fe
SHA256

c1898219b1796112547649fa7c1b623fb8fdac78b17860175ddd504960de80f5
SHA512

ee4179826188301f2d01b006825475699ae1d8b43458c71c1fe35bdc61fd78ad37566a691eb60e5bf6194e90a1afcc87e930ed8d9b5bf4e9f31e52f51768038f
SSDEEP

12288:n8GHPLJOG4wUSo2aHBzEeKacGa6lM6hzlNK:nRHDoyo2aHBzTcGa6lZNlNK

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://update.chrome-update.net:2083/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://update.chrome-update.net:2083/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
update.chrome-update.net,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
2083
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEt+P0E8qf/s+sWVB9d+CwaDZAh4Qo04HQHubXNGyZZhGWosAdtvJmtDl2pP15wgfaWXSnAaMuhVTHWA2Hx31xAmtK0xG9PSyX4IfwiegoQAldKAjl4svdC9LbHd+qHiOcwkUpdrKggeoiDvMtpDJW0+PW28Gioyeqm4Do3PB+jwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

AliyunScan.exeAliyunScan.exe

description	pid	process	target process
PID 2184 wrote to memory of 2296	2184	AliyunScan.exe	AliyunScan.exe
PID 2184 wrote to memory of 2296	2184	AliyunScan.exe	AliyunScan.exe
PID 2184 wrote to memory of 2296	2184	AliyunScan.exe	AliyunScan.exe
PID 2296 wrote to memory of 2468	2296	AliyunScan.exe	calc.exe
PID 2296 wrote to memory of 2468	2296	AliyunScan.exe	calc.exe
PID 2296 wrote to memory of 2468	2296	AliyunScan.exe	calc.exe
PID 2296 wrote to memory of 2468	2296	AliyunScan.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
"C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\calc.exe
calc.exe
3⤵
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA095.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD416.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2184-1-0x000000013F7E0000-0x000000013F8AE000-memory.dmp

Filesize
824KB

Download
memory/2184-42-0x000000013F7E0000-0x000000013F8AE000-memory.dmp

Filesize
824KB

Download
memory/2296-2-0x000000013F7E0000-0x000000013F8AE000-memory.dmp

Filesize
824KB

Download
memory/2468-3-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2468-20-0x0000000003500000-0x0000000003972000-memory.dmp

Filesize
4.4MB

Download
memory/2468-21-0x0000000003100000-0x0000000003500000-memory.dmp

Filesize
4.0MB

Download
memory/2468-45-0x0000000003100000-0x0000000003500000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads