cobaltstrike | 34e7482d689429745dd3866caf5ddd5de52a179db7068f6b545ff51542abb76c | Triage

Sharing

General

Target

inform.iso
Size

1.2MB
Sample

240308-1tg3cagg69
MD5

4af2a3d07062d5d28dad7d3a6dfb0b4b
SHA1

c841e9cc56735a353e0e52c7a81fe9ca3bfe4aac
SHA256

34e7482d689429745dd3866caf5ddd5de52a179db7068f6b545ff51542abb76c
SHA512

3559c57afc6e85c1d5dfea64f5a22b87cfba38877feb877ff2960886422413498d3dedd42df9ba712a0bd187bf8f01941a92f9d26a9714bb32262809a9cd3074
SSDEEP

3072:NaIhrdRZoUa294RWQfNKfleJxWJFT7rT16H09Ho78xjtAhF8+Fg:N3RNaUGWQfBx4A0dXqhFfF

Score

10^/10

cobaltstrike 1359593325 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://theskoolieblog.com:443/blog/2019/1q

Attributes

access_type
512
beacon_type
2048
host
theskoolieblog.com,/blog/2019/1q
http_header1
AAAACgAAABdDb250ZW50LVR5cGU6IHRleHQvaHRtbAAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAgAAAABAAAABC50eHQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACFDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGEAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAABwAAAAAAAAALAAAAAQAAAAcvdXBsb2FkAAAADAAAAAcAAAABAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmvg7ZMKuOy4b6zWQZu+OPtbyHRJvw2SFM1xPY8rgejFcFyo5c0JZTdjIsn1/P29ZHyiCMAuyxMFk9UWg3sWeZKknb1v6+NFQcMLyYjctXQuOnpEVJ17M2T+iOkUvMoBwBdWaNEPTDbJS8M+NIGXgkYR60ozQfEMWwIICwK89i+wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/login/form/w
user_agent
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
watermark
1359593325

Targets

- Target
  
  bin/WinScrollbarForUninitialize.dll
- Size
  
  218KB
- MD5
  
  8716cec33a4fea1c00d57c4040945d9e
- SHA1
  
  301c94571cc0795c54f6ea7e20a453436133ad03
- SHA256
  
  e8da0c4416f4353aad4620b5a83ff84d6d8b9b8a748fdbe96d8a4d02a4a1a03c
- SHA512
  
  89fef3971120d0e4bc676d89db7bf2992ba4316b5a628397b04cf8fc299d130fabb523d990ff7aafd6c956ab62583f33ebee26543fe6abeefc319838125cc517
- SSDEEP
  
  3072:NaIhrdRZoUa294RWQfNKfleJxWJFT7rT16H09Ho78xjtAhF8+Fg:N3RNaUGWQfBx4A0dXqhFfF
Score

1^/10
behavioral1 behavioral2
- Target
  
  information.lnk
- Size
  
  1KB
- MD5
  
  c23f1af6d1724324f866fe68634396f9
- SHA1
  
  959c824fab3cc38ac605553d39aa57bef559befd
- SHA256
  
  e5de12f16af0b174537bbdf779b34a7c66287591323c2ec86845cecdd9d57f53
- SHA512
  
  0ac868487c47f873ab86d37545954dbf82f15d77b6495160d6b6ce1e6d7fe4e473da991e61d8a5f922534d3e221ef51b0d817bb3c108885b4b38d0902942eaab
Score

10^/10

cobaltstrike 1359593325 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

cobaltstrike1359593325backdoortrojan