cobaltstrike | d0fccd23ea88c3f50248696c43d3a6b4a3ff957094956e24956204e5eb5687cf

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Compressed/zzjt.exe
Size

11.8MB
MD5

7ac31190bf802d29201d85b95a7a979c
SHA1

88c4681ad9268570af2fec3fc50d489500504ffa
SHA256

c020df0b77f8dfa62f37ed491e39a34dba15299f7ad448c69fd3ae9c57dccace
SHA512

00e2156e4ab85617cae29eb22a02724c08b5848797fb0a6bf9be44a3f25eae901a6a6156097a224aa0b44361bbc70b1fce77d409e5f7abfcec331619f1ddba8f
SSDEEP

196608:mW9bTm1k8hkEI/F5D/SFGK1c1W903eV4QRJ993iObM9SEKuLmh6TnW6KJSPG:19bTm28hQfuwW+eGQRT93iOb9cL468Jf

Score

10^/10

cobaltstrike 987654321 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

http://74.211.105.140:65443/image/

Attributes

access_type
512
beacon_type
2048
host
74.211.105.140,/image/
http_header1
AAAACgAAAEhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKmw7cT0wLjgAAAAKAAAAHlJlZmVyZXI6IGh0dHA6Ly93d3cuZ29vZ2xlLmNvbQAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAgAAAABAAAABC5qcGcAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAAeUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tAAAACgAAABBQcmFnbWE6IG5vLWNhY2hlAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACwAAAAEAAAAELnBuZwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
65443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo6gjeiOv8ikX8LQ2BCTJHeb2MEsiBxqr6QSSAeosvjFwuNgkR5vYGdSCXPqEO2SXE6rhSsJ2RfvmK49TsMoyOXFvLDHIQUzWdc114peOCH6x/5Zc7dGtq6OUeQN2j2PrUY3N/ggHA++sNQLbX/KnOXTzDHUqFh04+Utxb5dAyhwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/email/
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
watermark
987654321

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 13 IoCs

Processes:

zzjt.exe

pid	process
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe
1032	zzjt.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

zzjt.exe

description pid process target process

PID 3444 wrote to memory of 1032 3444 zzjt.exe zzjt.exe
PID 3444 wrote to memory of 1032 3444 zzjt.exe zzjt.exe

description	pid	process	target process
PID 3444 wrote to memory of 1032	3444	zzjt.exe	zzjt.exe
PID 3444 wrote to memory of 1032	3444	zzjt.exe	zzjt.exe

C:\Users\Admin\AppData\Local\Temp\Compressed\zzjt.exe
"C:\Users\Admin\AppData\Local\Temp\Compressed\zzjt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\Compressed\zzjt.exe
"C:\Users\Admin\AppData\Local\Temp\Compressed\zzjt.exe"
2⤵
- Loads dropped DLL
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI34442\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\_cffi_backend.cp311-win_amd64.pyd
Filesize
177KB

MD5
fde9a1d6590026a13e81712cd2f23522

SHA1
ca99a48caea0dbaccf4485afd959581f014277ed

SHA256
16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b

SHA512
a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\_ctypes.pyd
Filesize
120KB

MD5
22c4892caf560a3ee28cf7f210711f9e

SHA1
b30520fadd882b667ecef3b4e5c05dc92e08b95a

SHA256
e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c

SHA512
edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\_hashlib.pyd
Filesize
63KB

MD5
c888ecc8298c36d498ff8919cebdb4e6

SHA1
f904e1832b9d9614fa1b8f23853b3e8c878d649d

SHA256
21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926

SHA512
7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\_socket.pyd
Filesize
77KB

MD5
2c0ec225e35a0377ac1d0777631bffe4

SHA1
7e5d81a06ff8317af52284aedccac6ebace5c390

SHA256
301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af

SHA512
aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\base_library.zip
Filesize
1.8MB

MD5
0a45a07fd73c29e66702b23d08c99e16

SHA1
f7283bea61fb5b836219e9fc63905e984e5b5b60

SHA256
57640f81ed34cb1f17f22472254cc721ccd300fd92ba1c1208cb959885154e97

SHA512
adaa6030e0da342816868a9f05018ee408d1e3e6e36eb1da86e65b98bcc96baeec2283ad429ee5ff478253627bb37b3c057a19bddefffb18485819a442ac7870

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.2MB

MD5
e254d41da688f8d7bc0c373c6642f82e

SHA1
3484a9398f84f6a726db58d53f4ba3fb579f524c

SHA256
5c79f0e9b6a4e634c8f4e5741a68d2ae8ae4793be2f0efdb423df883a4d57347

SHA512
bc317422d8fc5d58a0ebdbb4731332260903be3898eedf4788cfade0fb1a1283b89abcb9bb10619a1c7cb39cd9f0c52dace206bb539e55c9b422fd83f8f1ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\python3.DLL
Filesize
65KB

MD5
d8ba00c1d9fcc7c0abbffb5c214da647

SHA1
5fa9d5700b42a83bfcc125d1c45e0111b9d62035

SHA256
e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d

SHA512
df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\python311.dll
Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\select.pyd
Filesize
29KB

MD5
8472d39b9ee6051c961021d664c7447e

SHA1
b284e3566889359576d43e2e0e99d4acf068e4fb

SHA256
8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f

SHA512
309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34442\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/1032-92-0x00000228828A0000-0x00000228828E4000-memory.dmp

Filesize
272KB

Download
memory/1032-93-0x00000228828F0000-0x0000022882942000-memory.dmp

Filesize
328KB

Download
memory/1032-94-0x0000022882C40000-0x0000022882C42000-memory.dmp

Filesize
8KB

Download
memory/1032-95-0x00000228828F0000-0x0000022882942000-memory.dmp

Filesize
328KB

Download