cobaltstrike | cobaltstrike[.]payload-disk

Sharing

Copy URL

Twitter E-mail

General

Target

cobaltstrike.payload-disk
Size

259KB
MD5

845fd3e6b8a69210ab647af9134fdafb
SHA1

b530ccf9b4abd3ef68c45901cf7a6cb7302b3d36
SHA256

a72feb94ecd16ebdf9274a509abf7481aba3cf23642aff845d774cf6e23a6504
SHA512

1b0429da92fd15d294242efa8b05ca5d40117065023fd5f2fe0be1ab37fa27ab983b75d7909b324b7d0d49e333ab9f35bc52e1da1f7bc43d046fb6244dffffe9
SSDEEP

3072:1Jq1fXrluNlvO5GW/AjgytgugJqhJeGkTpX1KcBSEHYVD90vCgfPBBYJszrHc3e:1JqKG5dugyibgkTZI6jHID90akB3H/

Score

10^/10

100000000 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://0.0xo.lat:2083/massaction.html

Attributes

access_type
512
beacon_type
2048
host
0.0xo.lat,/massaction.html
http_header1
AAAAEAAAAA9Ib3N0OiAwLjB4by5sYXQAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAA9Ib3N0OiAwLjB4by5sYXQAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABVBY2NlcHQtRW5jb2Rpbmc6IGd6aXAAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAADwAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
61882
port_number
2083
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzsonrmxliSNkZLrIr1jUfT2tvoGJcP2qf+n6vp+e1XiDRxysmU+LwwkZG13AMH8IfOLb6j0rTjZ9aDe0sbY1nV0Pr58cWJ75gBpoIbbzv+1/rpx+Ou3A/EPLL31F0HGSYyW1zXOHw+UCojPsGGed4ePpfkDSxxIrP302ERHjE7wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
5.10860288e+08
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/be
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
100000000

Signatures

Cobaltstrike family
cobaltstrike
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

cobaltstrike.payload-disk

resource
cobaltstrike.payload-disk

Files

cobaltstrike.payload-disk
.dll windows:5 windows x64 arch:x64

75b699ff41c6086060b20466ba2e54ea

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_SYSTEM
IMAGE_FILE_DLL

Imports

��

��
��
��=��
��
��
��
��
��
��
��
��+��
��+��
��
��
��
��
��p
��`��Â��
��Â��
��
��
��
��
��
��񐭢��
��񅪱��񍦻��
��񍦻��
��
��
��
��É
��É
��
��'��À��
��À��
��
��Ï��È
��È
��
��
��
��
��n��
��
��
��
��
��
��
��f��
��
��
��Û��
��
��񅪱��
��񍦻��
��
��
��
��
��
��
��
��
��
��
��Z��
��i��Z��
��
��
��
��
��
��]��
��4��]��
��
��
��
��
��ô��
��e��ô��
��
��>��
��
��
��a��
��Ï
��
��
��
��
��
��
��
��Ì��
��
��
��
��
��Á
��
��
��
��
��
��
��à��
�� à��
��
��
��L��
��
��
��
��À��Ì��
��Ì��
��Ì��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��j��
��j��
��j��
��
��
��
��x�� à��
��x�� à��
��
��
��ð
��
��
��
��
��
��É��
��Ð��É��
��
��
��
��
��d��
��~
��
��{
��s��{
��Ö��s��{
��

��6

��
��q
��
��
��
��
��W
��
��
��
��
��k

��

ord19
ord4
��
��
ord23
ord115
ord3
ord14
ord9
ord8
ord52
ord15
ord10
ord16
ord22
ord111
ord151
ord1
ord2
ord13
ord18
ord116

Exports

Exports

EncryptFull

Sections

��
Size: 174KB - Virtual size: 173KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

��
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

��
Size: 9KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

��
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

��
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

75b699ff41c6086060b20466ba2e54ea

Headers

DLL Characteristics

File Characteristics

Imports

�������������

������������6

�����������

Exports

Exports

Sections

������ Size: 174KB - Virtual size: 173KB

������� Size: 62KB - Virtual size: 62KB

������ Size: 9KB - Virtual size: 52KB

������� Size: 8KB - Virtual size: 8KB

������� Size: 4KB - Virtual size: 3KB

��

��6

��

��
Size: 174KB - Virtual size: 173KB

��
Size: 62KB - Virtual size: 62KB

��
Size: 9KB - Virtual size: 52KB

��
Size: 8KB - Virtual size: 8KB

��
Size: 4KB - Virtual size: 3KB