cobaltstrike

General

Target

beacon.exe
Size

281KB
Sample

240216-zs963aff2x
MD5

de65b501459697d36d11dbf2491236e7
SHA1

5714627e6db00c4e69cc8df46c41ea13281fd01d
SHA256

d4c42f794660fc88a72901227f235bd0842f876af1d709c3a02fca4a13eb3364
SHA512

fa17a41b2e52e35a272a8779cf1dd6e32fae87fcec17a777f3909bdbc7e6ee1125b2e06a79d9df22e2d97a3c09e9dd66d87cb78582351f776ad204fef53cf063
SSDEEP

3072:vCQ0ubemHIuC43ShtsjKEI9VVQb8nIg7y66jbytxFchKPHYz7D/gpEoelpJhH/Sr:vCG/OdlBQoIg7y6KbOFcaHQvlpJhH/s

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://sso.infra-dpf.com:443/common/oauth2/1.0/authorize?client_id=1

Attributes

access_type
512
beacon_type
2048
host
sso.infra-dpf.com,/common/oauth2/1.0/authorize?client_id=1
http_header1
AAAABwAAAAAAAAAPAAAADQAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAADwAAAA0AAAAMAAAABwAAAAAAAAAPAAAADQAAAAIAAAAIY2FwdGNoYT0AAAABAAAADiZidXR0b249c3VibWl0AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\wbem\wmiprvse.exe -Embedding
sc_process64
%windir%\sysnative\wbem\wmiprvse.exe -Embedding
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGansJ7mCLGdtVFTAJlLG5+1HWoHiw/xwZ+9hp4Qkcs3jZPJcxS35msi9EY6SfnthfKNn4EZS4At9BMSjQTA4KPmsR4mfU7VTpzsUnokI+RqG50nhmFdeM0RlSHOP/nmASEpMD3UsENV6DPrlNCvOEG5+oKAMXNpU9v3E0oRWjFQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.951732992e+09
unknown2
AAAABAAAAAMAAAAPAAAAAgAAABMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/common/oauth2/v2.0/authorize?client_id=1
user_agent
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Ubuntu/10.04 (lucid) Firefox/3.6
watermark
426352781

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  beacon.exe
- Size
  
  281KB
- MD5
  
  de65b501459697d36d11dbf2491236e7
- SHA1
  
  5714627e6db00c4e69cc8df46c41ea13281fd01d
- SHA256
  
  d4c42f794660fc88a72901227f235bd0842f876af1d709c3a02fca4a13eb3364
- SHA512
  
  fa17a41b2e52e35a272a8779cf1dd6e32fae87fcec17a777f3909bdbc7e6ee1125b2e06a79d9df22e2d97a3c09e9dd66d87cb78582351f776ad204fef53cf063
- SSDEEP
  
  3072:vCQ0ubemHIuC43ShtsjKEI9VVQb8nIg7y66jbytxFchKPHYz7D/gpEoelpJhH/Sr:vCG/OdlBQoIg7y6KbOFcaHQvlpJhH/s
Score

10^/10

cobaltstrike 0 426352781 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2