cobaltstrike | 49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458

General

Target

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
Size

1.2MB
MD5

a6dab257336a869364d80c621fc6c9d2
SHA1

8229bc04f7057cd031d7ea8b307feb1b406a6bf2
SHA256

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
SHA512

98c3f8dfe6e25ba03779528676e0b5232f6b8081a69c5e4358e07bd46ab48aad18c430ae407aaea8ce69e760265976189cc2d94bc6ef349a4b8ab22838954f28
SSDEEP

24576:NGHCm8uPdJfEdancxoWGVNueMahu+LPO1u2KM1:UuWYaNNueMZ+Lm1u1M1

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://162.209.159.49:80/jquery-3.3.1.min.js

Attributes

access_type
512
dns_idle
1.908702538e+09
host
162.209.159.49,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
1000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX/ASOjYPmnXg9vzuZw67JziFYz5GpIC8PBnfWPrKrQ4z7bqyIwPb8M4r14BFZEEJGFyg1LyNmR02vE/H3O0GedE50hLU+kKqAS6lPQtkf5grX/fhImjKZAO5rhJaQDIOMgT1I7BOtit1kjEsJBYqWiISLJHXdZmVEEzRA8AFG6QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 6 IoCs

Processes:

Mass Domain To Ip Faster.exemass01.comEixiz.exeXmihyiq.exemass01.commass01.com

pid process

2936 Mass Domain To Ip Faster.exe
2612 mass01.com
2380 Eixiz.exe
1692 Xmihyiq.exe
2276 mass01.com
2668 mass01.com

pid	process
2936	Mass Domain To Ip Faster.exe
2612	mass01.com
2380	Eixiz.exe
1692	Xmihyiq.exe
2276	mass01.com
2668	mass01.com

Loads dropped DLL 9 IoCs

Processes:

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe

pid	process
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

mass01.com

description pid process target process

PID 2612 set thread context of 2668 2612 mass01.com mass01.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Xmihyiq.exe

description pid process

Token: SeDebugPrivilege 1692 Xmihyiq.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 2612 set thread context of 2668	2612	mass01.com	mass01.com

description	pid	process
Token: SeDebugPrivilege	1692	Xmihyiq.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exemass01.comMass Domain To Ip Faster.exe

description	pid	process	target process
PID 1732 wrote to memory of 2936	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	Mass Domain To Ip Faster.exe
PID 1732 wrote to memory of 2936	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	Mass Domain To Ip Faster.exe
PID 1732 wrote to memory of 2936	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	Mass Domain To Ip Faster.exe
PID 1732 wrote to memory of 2936	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	Mass Domain To Ip Faster.exe
PID 1732 wrote to memory of 2612	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	mass01.com
PID 1732 wrote to memory of 2612	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	mass01.com
PID 1732 wrote to memory of 2612	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	mass01.com
PID 1732 wrote to memory of 2612	1732	49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe	mass01.com
PID 2612 wrote to memory of 2276	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2276	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2276	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2276	2612	mass01.com	mass01.com
PID 2936 wrote to memory of 2380	2936	Mass Domain To Ip Faster.exe	Eixiz.exe
PID 2936 wrote to memory of 2380	2936	Mass Domain To Ip Faster.exe	Eixiz.exe
PID 2936 wrote to memory of 2380	2936	Mass Domain To Ip Faster.exe	Eixiz.exe
PID 2936 wrote to memory of 2380	2936	Mass Domain To Ip Faster.exe	Eixiz.exe
PID 2936 wrote to memory of 1692	2936	Mass Domain To Ip Faster.exe	Xmihyiq.exe
PID 2936 wrote to memory of 1692	2936	Mass Domain To Ip Faster.exe	Xmihyiq.exe
PID 2936 wrote to memory of 1692	2936	Mass Domain To Ip Faster.exe	Xmihyiq.exe
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com
PID 2612 wrote to memory of 2668	2612	mass01.com	mass01.com

C:\Users\Admin\AppData\Local\Temp\49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
"C:\Users\Admin\AppData\Local\Temp\49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\users\public\Mass Domain To Ip Faster.exe
"C:\users\public\Mass Domain To Ip Faster.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\Eixiz.exe
"C:\Users\Admin\AppData\Local\Temp\Eixiz.exe"
3⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Local\Temp\Xmihyiq.exe
"C:\Users\Admin\AppData\Local\Temp\Xmihyiq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\users\public\mass01.com
"C:\users\public\mass01.com"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\users\public\mass01.com
C:\users\public\mass01.com
3⤵
- Executes dropped EXE
PID:2276

C:\users\public\mass01.com
C:\users\public\mass01.com
3⤵
- Executes dropped EXE
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eixiz.exe
Filesize
468KB

MD5
4df48bfd2a37bf32f8d1a43a1dc4de62

SHA1
dc6e153e899ddcab4eecf3ac86209071584486db

SHA256
710ba9c215a85b84854f26c6b5e1d34fae6ab5df1f502e0ca3bbdcfa9d2affc7

SHA512
be0a351197d4ed69726ed5f1610f2135134a398d3adcc5dd812e1b5886cb4c8cb350a83e960879f187ed3b073497764256cd393e99eaa8cb574cb9a6ee3b848e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xmihyiq.exe
Filesize
31KB

MD5
2e8c67cbd789e915b6cffecfa3e88f94

SHA1
b83ab6398d966cc2d44e7b291909f8f58bf3cdc2

SHA256
54cd2d01de6ed829ac2b90bfbb1b9ab42b73eba6720928a7aab589c967175e69

SHA512
ab92e2027c7c6a51f71c5da10e07ce9230a83f0c0b5e9cd3a553356ff762012c834a9c46fab62138c8f7f23bf820be88a298a97192661b2845b512392ef13bc7

Download Submit
\Users\Public\Mass Domain To Ip Faster.exe
Filesize
339KB

MD5
bced66c4de780942a9083aba9986fc76

SHA1
d349db04dec38cd9104cf726cfd6fb13e02a3a47

SHA256
29b98f05ce1036044b2654892e98a82c261ac1a9bb6446f7eae9d3ab370b3391

SHA512
d024067ebe80be1916e2638350e9dde25af70ea364905dfc3aed4292734a959b3a611eec7b46dfa07488dd490919619970dd4db62fde8e7544e59a1cfaf73264

Download Submit
\Users\Public\mass01.com
Filesize
624KB

MD5
39663bbdf4f5a246edfe1507e3857922

SHA1
a547d30a40a8ff1fa2b8f77e0ba87fb1b7b74959

SHA256
7bf5cb4227f7aa865bff1c0c2481f644d0dcec643801c4d82a65e47dddef9927

SHA512
926aa17cca2a412b1a1af330946f5265577f582175d2631aa19a1b893bf8af0d3218c7c08617e2c32c9abb345e77fc62b38b68564c238b35c9e07e22802b8252

Download Submit
memory/1692-84-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1692-59-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/1692-56-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1692-54-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/1692-85-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/2380-82-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2380-58-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2380-83-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-52-0x0000000001330000-0x00000000013AA000-memory.dmp

Filesize
488KB

Download
memory/2380-55-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-41-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2612-40-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2612-34-0x0000000000C00000-0x0000000000CA2000-memory.dmp

Filesize
648KB

Download
memory/2612-35-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-37-0x0000000006E70000-0x0000000006FEE000-memory.dmp

Filesize
1.5MB

Download
memory/2612-74-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2668-79-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/2668-81-0x0000000000CB0000-0x0000000001122000-memory.dmp

Filesize
4.4MB

Download
memory/2668-86-0x0000000000CB0000-0x0000000001122000-memory.dmp

Filesize
4.4MB

Download
memory/2936-36-0x00000000009F0000-0x0000000000A4A000-memory.dmp

Filesize
360KB

Download
memory/2936-39-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/2936-57-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-38-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing