cobaltstrike | efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876

General

Target

efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
Size

3.4MB
MD5

112e6b1a7fa7ce6b2679a2fcdba7570a
SHA1

8b38f0e256a98d713b09d78c1d1ff69b502b9577
SHA256

efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876
SHA512

b604d4c5d77d98c532e304f33729b92d94b5800745f38e116f038d276b6ceaa9912ac15b62f1a69e4bab286eb884b8137d3dd442301c6a602ae5e2d29096223e
SSDEEP

49152:wI1BMSvHH9sufzgtSN9t9/y8MH31Q+QVc5GxJxn+mqEvzHyZsUocVIIR6qW+LKNR:wDSvxrg+t9/ypFQ+QuKJ9TyZ9JKz

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://154.9.255.31:6666/vSFN

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://154.9.255.31:6666/pixel.gif

Attributes

access_type
512
host
154.9.255.31,/pixel.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6666
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK3rLzrZjUM9JHGk+MkyiweizMh1UN5SghOUGMem0V661GlZU3VFjgj0GjDCZ7n7BB/ZxZlZW3+AyFk84CWktpKLetpsqUQfwVZXXybglwzxC6dgLck3I5vbXIPgyQwgUBW57GNmFiabvB1aCn90NMXnSeNSQypauXKIbsXCYtEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe

Executes dropped EXE 2 IoCs

Processes:

ak.exeak.exe

pid process

4508 ak.exe
4900 ak.exe
Loads dropped DLL 4 IoCs

Processes:

ak.exe

pid process

4900 ak.exe
4900 ak.exe
4900 ak.exe
4900 ak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4508	ak.exe
4900	ak.exe

pid	process
4900	ak.exe
4900	ak.exe
4900	ak.exe
4900	ak.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exeak.exe

description	pid	process	target process
PID 3376 wrote to memory of 4508	3376	efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe	ak.exe
PID 3376 wrote to memory of 4508	3376	efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe	ak.exe
PID 4508 wrote to memory of 4900	4508	ak.exe	ak.exe
PID 4508 wrote to memory of 4900	4508	ak.exe	ak.exe

C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
"C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
3.2MB

MD5
1e9f06ff572008ae0fe723c01a19f51f

SHA1
80623cbd7d7ad0cc539fcc42e0fa5a2f4a6d1193

SHA256
d0a790d8c8fa9147b6fd6d5bf0ef3c2a8907ec17eeb384dcc9b2611044928802

SHA512
7b9d4a9294b931e5efdc02a86336ee8daa4cad83e0c8aa49f148ae3040e819ea483837614a22f66c033d025b6e9106c0198caf1f51db8b3c261c16a024063d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\日记.txt
Filesize
26KB

MD5
839e6d240e7f072b5b101d803c4b3be3

SHA1
b77a5649de8f5c146bc80773e6b61b62dd94fed0

SHA256
561130e97c3f5434d25c0e224168ee2dab5f79a7863796ad2aeb28061de352c1

SHA512
a668511cdceab97fc01d6645fe0aa7331752393f19969886aa4639d8d2d1a7a1745ecb3bda73ee0bfa1a17e430888c91ad4b0a0ac54edbd26267126c70b394cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\ak.exe
Filesize
3.7MB

MD5
97922953ecfb1e38feceae49f5a1f4bf

SHA1
8080acd9863c61752b01af27671e459071aac66c

SHA256
bc11e0801675911e2f36d8e61859762c1b7a2c9b3ce173cf65b3c37a3f9f5579

SHA512
5a38fc28a137aac0028a002a5c42a31bccbbcb869762f8bf18dcdb5e4af447050bd3130c8880f37df188cc19307e1c0b9597870243307893637b9501f82c711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\python310.dll
Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
memory/4508-32-0x00007FF6AF310000-0x00007FF6AF65C000-memory.dmp

Filesize
3.3MB

Download
memory/4900-29-0x00000200EEE70000-0x00000200EEE71000-memory.dmp

Filesize
4KB

Download
memory/4900-30-0x00000200F1220000-0x00000200F1620000-memory.dmp

Filesize
4.0MB

Download
memory/4900-31-0x00000200F1620000-0x00000200F166F000-memory.dmp

Filesize
316KB

Download
memory/4900-33-0x00007FF662C80000-0x00007FF663037000-memory.dmp

Filesize
3.7MB

Download
memory/4900-36-0x00000200F1620000-0x00000200F166F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads