cobaltstrike | e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604

General

Target

e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe
Size

6.1MB
MD5

a5975a2be60dba4c3b4379748c8395df
SHA1

d7c3eadee9feb4fb419826a9e664f2bc2c68dcbc
SHA256

e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604
SHA512

2a7feec187aa119d1adfc8a6db467e955febe1324f3c0f46656c1804e21c0af1bc283db15ac172d05b9a2178c078ba62288fbb783a0b20c49f6d1b046843acc9
SSDEEP

196608:yD1qTulzVzGcsRIo6m1Yz2y3+0ZiBu2BbiIMQI0G/:Nu//9o6M42a+0ZmxLMQu

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://154.9.255.31:6666/vSFN

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://154.9.255.31:6666/pixel.gif

Attributes

access_type
512
host
154.9.255.31,/pixel.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6666
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK3rLzrZjUM9JHGk+MkyiweizMh1UN5SghOUGMem0V661GlZU3VFjgj0GjDCZ7n7BB/ZxZlZW3+AyFk84CWktpKLetpsqUQfwVZXXybglwzxC6dgLck3I5vbXIPgyQwgUBW57GNmFiabvB1aCn90NMXnSeNSQypauXKIbsXCYtEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe

Executes dropped EXE 1 IoCs

Processes:

ak.exe

pid process

4008 ak.exe
Loads dropped DLL 5 IoCs

Processes:

ak.exe

pid process

4008 ak.exe
4008 ak.exe
4008 ak.exe
4008 ak.exe
4008 ak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4008	ak.exe

pid	process
4008	ak.exe
4008	ak.exe
4008	ak.exe
4008	ak.exe
4008	ak.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe

description	pid	process	target process
PID 2112 wrote to memory of 4008	2112	e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe	ak.exe
PID 2112 wrote to memory of 4008	2112	e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe	ak.exe

C:\Users\Admin\AppData\Local\Temp\e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe
"C:\Users\Admin\AppData\Local\Temp\e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ctypes.pyd
Filesize
114KB

MD5
f3ee671a420e2b57afb685b6451b0a3e

SHA1
d9e6e9c09532a485d748213d87adbb9cb00a1fbf

SHA256
87a96b342caac2988beadc99fbcb0e800111f403e46876f091cd39e03337a7e2

SHA512
6fa4f28532eeeb6cec0fd03e271e2b5e75f6e647036ad722f9da0f8d0aeb97df8cb46f8f8c9460e4d65b5ddb4a7178ebfce03bea410e64a1927d5823b1004334

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
6.7MB

MD5
4139a1342b752e851e1bce6a09943d2d

SHA1
a8f7fe1eb58ff06786aa974a346af72d86715a27

SHA256
fc6bf4cac4681d5b782f87563e0234995cbcda6717dafd05280884f1bf000f96

SHA512
5c3810c46806ed82f334a5e209ad7220a634abdf089329f6001bec9fa58e9925c03f13808a9274d20e157564f910bc8b9119a226ec6c8b84a722bab63f53ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ffi.dll
Filesize
27KB

MD5
006cc4f6b6fbe03521dc451f4f0a1d28

SHA1
f04ed6572a304d5a4098e6e354518e4c61d7919f

SHA256
812eeff28941d7a7f93cd64ec880eb8e773f613536ccba9d3cb1049dd884b027

SHA512
f0119fc663a0aab7fbfe87519d131ebb539d962b7aa42f82882af29144bb3f1cade8032dedec83d29d3b9da0976e5b3bd8f33a7eae018f1d0ff3fff8b49f3351

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dll
Filesize
193KB

MD5
3d3381d7603dd86156913e23a334dc58

SHA1
607261f07402654d3a41b1cb83255303c9876199

SHA256
1854b5bab36cc97247533c195d89f7e5cabde66e7c6fbd2d968e1437664ee698

SHA512
7c6961013cbc7729a808c576639f8e93e83387e923a498ea177c3ac0c92b7c89618aea1fa01cc9a8dada447fbe90f932cd3d523ed629e088d0affb720329f2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dll
Filesize
5.7MB

MD5
34baa8088b479361208b691a87aa5238

SHA1
0034f14fbcb1328dd5a65395f47c00c7ef72cbaf

SHA256
162e8557fbed5f39ae24983ee62b2d435b4796c937d9c1a34371888c7e43af00

SHA512
6900da9a20bcefea0c334f07c758fdce991753dd0f65cc5587800c544110343f9beed7bce8b534b8531db009f1824d3e454157d45a1a95e1dff2472572b6edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zlib.dll
Filesize
85KB

MD5
d00d9d7b9e0215553c30bb974009356b

SHA1
4608882531ad0c106732682cbe746d911c38fc9a

SHA256
54c755e6b90499a5ef49a65ce9472535286fe4db3565a06c4a53f8a4833532dc

SHA512
8795959cdd8525b449193b90cebe81e8ae7876858a6cc706a255c6d2af5696be92e1dc93ef34551b4888b51c1f5dce920d834ef6ff8f8f4693cd4433e488dc56

Download Submit
memory/4008-47-0x000002A501DF0000-0x000002A501DF1000-memory.dmp

Filesize
4KB

Download
memory/4008-48-0x000002A5041A0000-0x000002A5045A0000-memory.dmp

Filesize
4.0MB

Download
memory/4008-49-0x000002A5045A0000-0x000002A5045EF000-memory.dmp

Filesize
316KB

Download
memory/4008-50-0x00007FF6D7AB0000-0x00007FF6D8176000-memory.dmp

Filesize
6.8MB

Download
memory/4008-52-0x000002A5045A0000-0x000002A5045EF000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads