cobaltstrike

General

Target

7138315216e0d606751b7bf6ad1717749b8c4a292aa5bf66ead0c2451f0132e5
Size

4.5MB
Sample

240402-l2s29aec26
MD5

40145ad34464cc259810d208be2bffa5
SHA1

995d660b71f8dce46be5df45c35d703f76df1a4b
SHA256

7138315216e0d606751b7bf6ad1717749b8c4a292aa5bf66ead0c2451f0132e5
SHA512

b74bec3d851bc2c6ab8a420bd6e45eaba2f11cb6dda43727a5698b81ec838352db31f8df95cd459c60245c0f8a3880c4fdc1ead6b46aaa2eaa924819e70b581d
SSDEEP

24576:kB4kdxwvqt9y9t26Lk6/C+ERuKrnntBU53setyRjbHxI8W41ew9z3IsmiofxIDfM:HqGvqt9ktOEi5+Co

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://192.168.2.108:443/load

Attributes

access_type
512
beacon_type
2048
host
192.168.2.108,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCviX8Tul+1D8NGaL4kc+7/LZfj60KBG/Bpfl5tfRHMEIDfdt7Us100kF04hQx22jU5Z7vjOYC61tb6Q5h+ZD5WLcR7yMnFMuWXo186sBwpiV/tzT+kvxQ2lP47IOCflc0nId43vi/gflSDv6jxZqKpnk+gKQAntdALhJTAyNW1qQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)
watermark
391144938

Targets

- Target
  
  7138315216e0d606751b7bf6ad1717749b8c4a292aa5bf66ead0c2451f0132e5
- Size
  
  4.5MB
- MD5
  
  40145ad34464cc259810d208be2bffa5
- SHA1
  
  995d660b71f8dce46be5df45c35d703f76df1a4b
- SHA256
  
  7138315216e0d606751b7bf6ad1717749b8c4a292aa5bf66ead0c2451f0132e5
- SHA512
  
  b74bec3d851bc2c6ab8a420bd6e45eaba2f11cb6dda43727a5698b81ec838352db31f8df95cd459c60245c0f8a3880c4fdc1ead6b46aaa2eaa924819e70b581d
- SSDEEP
  
  24576:kB4kdxwvqt9y9t26Lk6/C+ERuKrnntBU53setyRjbHxI8W41ew9z3IsmiofxIDfM:HqGvqt9ktOEi5+Co
Score

10^/10

cobaltstrike 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2