cobaltstrike | 49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458 | Triage

Sharing

General

Target

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
Size

1.2MB
Sample

240305-byr1nsbc76
MD5

a6dab257336a869364d80c621fc6c9d2
SHA1

8229bc04f7057cd031d7ea8b307feb1b406a6bf2
SHA256

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
SHA512

98c3f8dfe6e25ba03779528676e0b5232f6b8081a69c5e4358e07bd46ab48aad18c430ae407aaea8ce69e760265976189cc2d94bc6ef349a4b8ab22838954f28
SSDEEP

24576:NGHCm8uPdJfEdancxoWGVNueMahu+LPO1u2KM1:UuWYaNNueMZ+Lm1u1M1

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://162.209.159.49:80/jquery-3.3.1.min.js

Attributes

access_type
512
dns_idle
1.908702538e+09
host
162.209.159.49,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
1000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX/ASOjYPmnXg9vzuZw67JziFYz5GpIC8PBnfWPrKrQ4z7bqyIwPb8M4r14BFZEEJGFyg1LyNmR02vE/H3O0GedE50hLU+kKqAS6lPQtkf5grX/fhImjKZAO5rhJaQDIOMgT1I7BOtit1kjEsJBYqWiISLJHXdZmVEEzRA8AFG6QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Targets

- Target
  
  49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
- Size
  
  1.2MB
- MD5
  
  a6dab257336a869364d80c621fc6c9d2
- SHA1
  
  8229bc04f7057cd031d7ea8b307feb1b406a6bf2
- SHA256
  
  49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
- SHA512
  
  98c3f8dfe6e25ba03779528676e0b5232f6b8081a69c5e4358e07bd46ab48aad18c430ae407aaea8ce69e760265976189cc2d94bc6ef349a4b8ab22838954f28
- SSDEEP
  
  24576:NGHCm8uPdJfEdancxoWGVNueMahu+LPO1u2KM1:UuWYaNNueMZ+Lm1u1M1
Score

10^/10

cobaltstrike 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike305419896backdoortrojan

behavioral2

cobaltstrike305419896backdoortrojan