cobaltstrike | c1898219b1796112547649fa7c1b623fb8fdac78b17860175ddd504960de80f5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AliyunScan.exe
Size

778KB
MD5

7f7b9a45ca794a926be38a1b76a2ddb4
SHA1

28bd7770545f3c9bf90df0bce69ac66f946f20fe
SHA256

c1898219b1796112547649fa7c1b623fb8fdac78b17860175ddd504960de80f5
SHA512

ee4179826188301f2d01b006825475699ae1d8b43458c71c1fe35bdc61fd78ad37566a691eb60e5bf6194e90a1afcc87e930ed8d9b5bf4e9f31e52f51768038f
SSDEEP

12288:n8GHPLJOG4wUSo2aHBzEeKacGa6lM6hzlNK:nRHDoyo2aHBzTcGa6lZNlNK

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://update.chrome-update.net:2083/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
update.chrome-update.net,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
2083
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEt+P0E8qf/s+sWVB9d+CwaDZAh4Qo04HQHubXNGyZZhGWosAdtvJmtDl2pP15wgfaWXSnAaMuhVTHWA2Hx31xAmtK0xG9PSyX4IfwiegoQAldKAjl4svdC9LbHd+qHiOcwkUpdrKggeoiDvMtpDJW0+PW28Gioyeqm4Do3PB+jwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

AliyunScan.exeAliyunScan.exe

description	pid	process	target process
PID 740 wrote to memory of 508	740	AliyunScan.exe	AliyunScan.exe
PID 740 wrote to memory of 508	740	AliyunScan.exe	AliyunScan.exe
PID 508 wrote to memory of 3700	508	AliyunScan.exe	calc.exe
PID 508 wrote to memory of 3700	508	AliyunScan.exe	calc.exe
PID 508 wrote to memory of 3700	508	AliyunScan.exe	calc.exe

C:\Windows\SYSTEM32\calc.exe
calc.exe
1⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe
"C:\Users\Admin\AppData\Local\Temp\AliyunScan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-4-0x00007FF7C9300000-0x00007FF7C93CE000-memory.dmp

Filesize
824KB

Download
memory/740-3-0x00007FF7C9300000-0x00007FF7C93CE000-memory.dmp

Filesize
824KB

Download
memory/740-9-0x00007FF7C9300000-0x00007FF7C93CE000-memory.dmp

Filesize
824KB

Download
memory/3700-5-0x000002908FBF0000-0x0000029090062000-memory.dmp

Filesize
4.4MB

Download
memory/3700-6-0x000002908F7F0000-0x000002908F948000-memory.dmp

Filesize
1.3MB

Download
memory/3700-11-0x000002908F7F0000-0x000002908F948000-memory.dmp

Filesize
1.3MB

Download