cobaltstrike | 61a13ccc4df37d04b1528aa007ef22173829e9ff41e4c44dcf58be2f139e9954

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99f3fdac186020aa08025af4dfe918ab.exe
Size

7.4MB
MD5

99f3fdac186020aa08025af4dfe918ab
SHA1

4669a65831217b29cbd2676076252df59f63b5bf
SHA256

61a13ccc4df37d04b1528aa007ef22173829e9ff41e4c44dcf58be2f139e9954
SHA512

8dad096ebc996ac9f151234cc467ef084e72373119e4fef2d0e5849569798d3853534192847f71feb0f74084e15c0d7967a78003f34dbf271dac1e5cb924b72b
SSDEEP

196608:A7+gp1DAVhQ9onJ5hrZER9xQ3jo4UKa37+JTzLM:apNAVm9c5hlER9xA2BSNz

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.124.129:809626fe7dcd8d412a80d0b3f0e36afd4a.jpg

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENCA)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 7 IoCs

pid	Process
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe
1580	99f3fdac186020aa08025af4dfe918ab.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1580	2172	99f3fdac186020aa08025af4dfe918ab.exe	85
PID 2172 wrote to memory of 1580	2172	99f3fdac186020aa08025af4dfe918ab.exe	85

C:\Users\Admin\AppData\Local\Temp\99f3fdac186020aa08025af4dfe918ab.exe
"C:\Users\Admin\AppData\Local\Temp\99f3fdac186020aa08025af4dfe918ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\99f3fdac186020aa08025af4dfe918ab.exe
  "C:\Users\Admin\AppData\Local\Temp\99f3fdac186020aa08025af4dfe918ab.exe"
  2⤵
  - Loads dropped DLL
  PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21722\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_ctypes.pyd

Filesize
123KB

MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_socket.pyd

Filesize
78KB

MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\base_library.zip

Filesize
758KB

MD5
beb4c0da2cf0a5d2dd5219f04db24004

SHA1
944ccafb653b02e2997a98c9f17e10b3f06b70da

SHA256
05473737f04ffa0e0400013384e217a9a5ca9a4c107af08ac278cff07afda105

SHA512
b6c1bfdc40e93658ea3f490e84080c0aa0f2e16d2f117040b2981f72adefe3686910b130ca267df12be7c9aba6e8920d10c145307501df5ac038439b255aec81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\python39.dll

Filesize
4.2MB

MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\select.pyd

Filesize
27KB

MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\ucrtbase.dll

Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
memory/1580-75-0x000001AEEFEC0000-0x000001AEEFEC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads