Overview

overview

10

Static

static

3

4af1d688f3...84.exe

windows7-x64

10

4af1d688f3...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4af1d688f34b4d02d68ea5670c8a1fb816bc5dc50d3bccfe132c32ed228b5584.exe

  • Size

    281KB

  • MD5

    ce3bf17564dafc8d05b5fc331bbfba01

  • SHA1

    1836ec38c3ba748edf70430ff236530228b8bdc9

  • SHA256

    4af1d688f34b4d02d68ea5670c8a1fb816bc5dc50d3bccfe132c32ed228b5584

  • SHA512

    22cd6fafd08a8ad93af383b7dee547425d117f50e56695fb5946380262a36ca5256186344f7bd82701e143ac0042a9c1b9790ca902fe339487f8a87d51bff077

  • SSDEEP

    6144:3C+CQ6TOj3//0A+XLS3jeIvZmtd8N6pAhn1aI:9YTOz/wqktd8GAhf

Score
10/10
cobaltstrike0100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://192.168.198.190:5678/load

Attributes
  • access_type

    512

  • host

    192.168.198.190,/load

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    5678

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAe9dtlT9pOxenoDqDG/tfc+3n5yTggilZWyDVGhihcrWi5ktQlgiR2Sxosu+5llwcask46Xcv08rLhp8z86vA7rdP1MWEWtRSMtmjxKrALJrWqvqr/sgjhDgjGkr/T3GLO0qFYh7kT+IerFcXn+THHMURD8cMNJlXjo1vWXru2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Detects Reflective DLL injection artifacts 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4af1d688f34b4d02d68ea5670c8a1fb816bc5dc50d3bccfe132c32ed228b5584.exe
    "C:\Users\Admin\AppData\Local\Temp\4af1d688f34b4d02d68ea5670c8a1fb816bc5dc50d3bccfe132c32ed228b5584.exe"
    1⤵
      PID:1368

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1368-0-0x00000000002C0000-0x0000000000301000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1368-1-0x0000000000310000-0x000000000035F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1368-2-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1368-4-0x0000000000310000-0x000000000035F000-memory.dmp
      Filesize

      316KB

      Download