cobaltstrike | b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13 | Triage

Sharing

General

Target

573e3d2fcde58ae09638709e78e394c8
Size

906KB
Sample

240112-xlk79aeda5
MD5

573e3d2fcde58ae09638709e78e394c8
SHA1

ab32f2bd40209a61567111dd6569bcde8501469c
SHA256

b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13
SHA512

cb321d8a62cbe499827e79b934a207d4fe5c755b9561587fa1aff2252bd1e69bbbe3c79af5117b6ea0ea190aa14d21c15b5247824a08d7526557830adbcb1c41
SSDEEP

12288:mlalun4QO0ONLVUL4TEtZvAcp2QGh64J6JgL3j7CzyAdlAUhCp5f7VqF:QalyO+4TEvASTGPJ6jOzU83

Score

10^/10

cobaltstrike 0 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://5.133.109.104:81/activity

Attributes

access_type
512
host
5.133.109.104,/activity
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
81
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrsjeqVfPwUMvPnbo+bT2xEGxtknCsC2Ujlv+sXxLyCjlJQt0eAuPnIYwS0cknvO0bO/Jh82BaxPVuCw3fkHupUnYhJmr0yCUBQ0NNeeMj9kSltQwhv2Ir+5ru2gLq3dWq9RIafqxY5XqdBErhhOzmAM52RGoCaDQKnSpLPOAIbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)
watermark
426352781

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  573e3d2fcde58ae09638709e78e394c8
- Size
  
  906KB
- MD5
  
  573e3d2fcde58ae09638709e78e394c8
- SHA1
  
  ab32f2bd40209a61567111dd6569bcde8501469c
- SHA256
  
  b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13
- SHA512
  
  cb321d8a62cbe499827e79b934a207d4fe5c755b9561587fa1aff2252bd1e69bbbe3c79af5117b6ea0ea190aa14d21c15b5247824a08d7526557830adbcb1c41
- SSDEEP
  
  12288:mlalun4QO0ONLVUL4TEtZvAcp2QGh64J6JgL3j7CzyAdlAUhCp5f7VqF:QalyO+4TEvASTGPJ6jOzU83
Score

10^/10

cobaltstrike 0 426352781 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike0426352781backdoortrojan

behavioral2

cobaltstrike0426352781backdoortrojan