cobaltstrike | d6e3def28e2023207e6cb251c168a6083c0618e1bf92e2ebff7a870a973d1e4b | Triage

Sharing

General

Target

Anycast_Win.exe
Size

938KB
Sample

240309-qkq9jsgf56
MD5

afc13b80fe07af1fa91274cbd2a91620
SHA1

280d0a2ad6ffe95c4851f329e257ef12624081a7
SHA256

d6e3def28e2023207e6cb251c168a6083c0618e1bf92e2ebff7a870a973d1e4b
SHA512

342c34c96601832a6b0b0f8b9398cc335fe77dd2446af31b3be6cc6e2a2de4cab3d7dc5b42277dbf10950b5f73be97dacdc401ff93357e6eadead4c028fa1706
SSDEEP

12288:j1fxb/hqtLJMNHGE/YxtwwNUGJNAHRGXyJkEtvvMSszwLd10haymDr3qyIYo8f:Rfd/hqtLmNHGE4tcESEYd10haT7I

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://www.mxilws.buzz:8443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
dns_idle
1.908702538e+09
host
www.mxilws.buzz,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbXhpbHdzLmJ1enoAAAAKAAAAHFJlZmVyZXI6IGh0dHA6Ly9teGlsd3MuYnV6ei8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbXhpbHdzLmJ1enoAAAAKAAAAHFJlZmVyZXI6IGh0dHA6Ly9teGlsd3MuYnV6ei8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
45000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0VVBj84W/pQum7jRaDfr2I9gE/rAw8wb8b///OF8E9vrsnXyi99Bt5rkG0df54bbQi5ld4HGlfRM6iI3TnduC0EV0eA7qXay8fYWNcOrK5m+fVMrdjkL4khvVf7QeFxPCUyklfWONcoMGZZ4ty06LKpow07gV3KZ7yMVdoY5tHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  Anycast_Win.exe
- Size
  
  938KB
- MD5
  
  afc13b80fe07af1fa91274cbd2a91620
- SHA1
  
  280d0a2ad6ffe95c4851f329e257ef12624081a7
- SHA256
  
  d6e3def28e2023207e6cb251c168a6083c0618e1bf92e2ebff7a870a973d1e4b
- SHA512
  
  342c34c96601832a6b0b0f8b9398cc335fe77dd2446af31b3be6cc6e2a2de4cab3d7dc5b42277dbf10950b5f73be97dacdc401ff93357e6eadead4c028fa1706
- SSDEEP
  
  12288:j1fxb/hqtLJMNHGE/YxtwwNUGJNAHRGXyJkEtvvMSszwLd10haymDr3qyIYo8f:Rfd/hqtLmNHGE4tcESEYd10haT7I
Score

10^/10

cobaltstrike 305419896 backdoor trojan 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike305419896backdoortrojan

behavioral2

cobaltstrike0305419896backdoortrojan