cobaltstrike

General

Target

710a147b66554a5a9658aecbd310f62b5394c4c4e2f3f89d4c0613a57accb22c
Size

2.9MB
Sample

240309-j5dqmaeb49
MD5

371013004448f8ebbac1f1716aa8fd92
SHA1

b316ac6f367fc411efdc309a6c027cad884110f5
SHA256

710a147b66554a5a9658aecbd310f62b5394c4c4e2f3f89d4c0613a57accb22c
SHA512

3c71642d3be6981dba4893678719c2111c0ae8c3a6ef8e204b53478fd500ea525a3c19393d5c3601bc0f70b57a2575f33e1e79911eb856a511146052c77a2903
SSDEEP

49152:BGtlq24VwASOM4IU6iDRq2h8Ti6fHXryLjsoc9CjC4J8ugJU1mPt0D44t:EH+1q5NIj1J8NS1JD

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

C2

http://d2ss5ijh3h76v2.cloudfront.net:443/async/Newtab_promos

Attributes

user_agent
Sec-Fetch-Site: none Sec-Fetch-Dest: empty Accept-Language: en-US,en;q=0.5 Host: d2ss5ijh3h76v2.cloudfront.net User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://d2ss5ijh3h76v2.cloudfront.net:443/access/

Attributes

access_type
512
beacon_type
2048
host
d2ss5ijh3h76v2.cloudfront.net,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACNIb3N0OiBkMnNzNWlqaDNoNzZ2Mi5jbG91ZGZyb250Lm5ldAAAAAoAAABIQ29va2llOiAgX191dG1hPTk0MjI5MjA4OC43NDY0OTQ1MTk1LjIzOTUwMzQ5MTEuNTgwNzA3MzcwNy4yMzMzMzI0MjU3LjA7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0yNTgyMjA1MzUxAAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAI0hvc3Q6IGQyc3M1aWpoM2g3NnYyLmNsb3VkZnJvbnQubmV0AAAABwAAAAAAAAAFAAAAA3JpZAAAAAkAAAAObGlkPTE5MzA0NDUxNDYAAAAJAAAAH21ldGhvZD1nZXRTZWFyY2hSZWNvbW1lbmRhdGlvbnMAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
900
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBMLynlrtLB5yeViLbEg+jTpowwBiXeAGsVgAirB0HdEgkew3+CTIfNgjczVRHvRPBFKFbWlOBm6oEwrohSWUKdvbkabxbKqqxYwCErVQ0/CCI/Q9co2NghfdzU0fKtjRWDo+lgYkQ8ZNf5AgNHoKatS2zorGp7T/fqCjgtivHbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/radio/xmlrpc/v35
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
watermark
426352781

Targets

- Target
  
  710a147b66554a5a9658aecbd310f62b5394c4c4e2f3f89d4c0613a57accb22c
- Size
  
  2.9MB
- MD5
  
  371013004448f8ebbac1f1716aa8fd92
- SHA1
  
  b316ac6f367fc411efdc309a6c027cad884110f5
- SHA256
  
  710a147b66554a5a9658aecbd310f62b5394c4c4e2f3f89d4c0613a57accb22c
- SHA512
  
  3c71642d3be6981dba4893678719c2111c0ae8c3a6ef8e204b53478fd500ea525a3c19393d5c3601bc0f70b57a2575f33e1e79911eb856a511146052c77a2903
- SSDEEP
  
  49152:BGtlq24VwASOM4IU6iDRq2h8Ti6fHXryLjsoc9CjC4J8ugJU1mPt0D44t:EH+1q5NIj1J8NS1JD
Score

10^/10

cobaltstrike 426352781 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2