cobaltstrike | d8273396d4cb1b0c0b711744573cdc4f6b8351132acff93c0a080ebfe151853a | Triage

Sharing

General

Target

Anycast_Win.exe
Size

940KB
Sample

240309-pwr5jsfh32
MD5

04db25ace2160f550022e8ebdf36a4b8
SHA1

ad70cbab796f4ef01703a40e2b0173b834f0292e
SHA256

d8273396d4cb1b0c0b711744573cdc4f6b8351132acff93c0a080ebfe151853a
SHA512

53a59ea413fcfc8602f022216f87b2b4e527b46f4911cda3370a7b7ec8439f8912589e4c7b49c99032437c4405dcc0cc34c624b26afc2f57fe3c4db60125cad4
SSDEEP

12288:DtyYdauIaZgsNxgmnCErYBljrcMLpBeHP2SrVegqkBbAUSZLdmZmIKcp:gY3IaZgsNqmnCEMlgVAUSZLdm

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://www.mxilws.buzz:8443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
dns_idle
1.908702538e+09
host
www.mxilws.buzz,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbXhpbHdzLmJ1enoAAAAKAAAAHFJlZmVyZXI6IGh0dHA6Ly9teGlsd3MuYnV6ei8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbXhpbHdzLmJ1enoAAAAKAAAAHFJlZmVyZXI6IGh0dHA6Ly9teGlsd3MuYnV6ei8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
45000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0VVBj84W/pQum7jRaDfr2I9gE/rAw8wb8b///OF8E9vrsnXyi99Bt5rkG0df54bbQi5ld4HGlfRM6iI3TnduC0EV0eA7qXay8fYWNcOrK5m+fVMrdjkL4khvVf7QeFxPCUyklfWONcoMGZZ4ty06LKpow07gV3KZ7yMVdoY5tHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Targets

- Target
  
  Anycast_Win.exe
- Size
  
  940KB
- MD5
  
  04db25ace2160f550022e8ebdf36a4b8
- SHA1
  
  ad70cbab796f4ef01703a40e2b0173b834f0292e
- SHA256
  
  d8273396d4cb1b0c0b711744573cdc4f6b8351132acff93c0a080ebfe151853a
- SHA512
  
  53a59ea413fcfc8602f022216f87b2b4e527b46f4911cda3370a7b7ec8439f8912589e4c7b49c99032437c4405dcc0cc34c624b26afc2f57fe3c4db60125cad4
- SSDEEP
  
  12288:DtyYdauIaZgsNxgmnCErYBljrcMLpBeHP2SrVegqkBbAUSZLdmZmIKcp:gY3IaZgsNqmnCEMlgVAUSZLdm
Score

10^/10

cobaltstrike 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike305419896backdoortrojan

behavioral2

cobaltstrike305419896backdoortrojan