cobaltstrike | a0f55128d1d5ac30024d68cf855b7c19b5a81a6a9115d15d1226175e4ea86265 | Triage

Sharing

General

Target

a0f55128d1d5ac30024d68cf855b7c19b5a81a6a9115d15d1226175e4ea86265
Size

3.2MB
Sample

240403-lz35fabg81
MD5

378b90f5774cf6576a14eae2ebfc4325
SHA1

b35d2c0e201c3745ec43b20c5f714c6077d59c0d
SHA256

a0f55128d1d5ac30024d68cf855b7c19b5a81a6a9115d15d1226175e4ea86265
SHA512

a2ee4f716d0a1e35e3e2639b13221ed85fe57857711e584b8b2dd13e8b0681472b983232f9a12e9739faea130d951e75f709e22a866a8933e15e8e38ad803c01
SSDEEP

49152:pBZJc9NQBdNlA7dOZex9bwXzKWRMaCu5O+QyXCXm5SS7R9z:/ZJcG7f

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://192.168.2.108:443/load

Attributes

access_type
512
beacon_type
2048
host
192.168.2.108,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCviX8Tul+1D8NGaL4kc+7/LZfj60KBG/Bpfl5tfRHMEIDfdt7Us100kF04hQx22jU5Z7vjOYC61tb6Q5h+ZD5WLcR7yMnFMuWXo186sBwpiV/tzT+kvxQ2lP47IOCflc0nId43vi/gflSDv6jxZqKpnk+gKQAntdALhJTAyNW1qQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)
watermark
391144938

Targets

- Target
  
  a0f55128d1d5ac30024d68cf855b7c19b5a81a6a9115d15d1226175e4ea86265
- Size
  
  3.2MB
- MD5
  
  378b90f5774cf6576a14eae2ebfc4325
- SHA1
  
  b35d2c0e201c3745ec43b20c5f714c6077d59c0d
- SHA256
  
  a0f55128d1d5ac30024d68cf855b7c19b5a81a6a9115d15d1226175e4ea86265
- SHA512
  
  a2ee4f716d0a1e35e3e2639b13221ed85fe57857711e584b8b2dd13e8b0681472b983232f9a12e9739faea130d951e75f709e22a866a8933e15e8e38ad803c01
- SSDEEP
  
  49152:pBZJc9NQBdNlA7dOZex9bwXzKWRMaCu5O+QyXCXm5SS7R9z:/ZJcG7f
Score

10^/10

cobaltstrike 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

cobaltstrike391144938backdoortrojan