cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b
Size

1.4MB
Sample

240408-rfhmaaec5z
MD5

4bdc46c58367ed5abb02d667be3fc88f
SHA1

3a3a901f711f6b00ea1ef6a43691c96045571a8b
SHA256

8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b
SHA512

4a289038be4879a7514dc4cdceb4f379c62d1afbc19a121038cbd168d69d5612243c709b15459573044a2790406f12c945a63d721fccdf5e3c04aa22093b832f
SSDEEP

24576:RvcNkfnDVfcgBDYGNIImc9+ZTwpnBDxzxSTpPCCbyvOX8b6Kei2cV8:VekfnD5cgBE6WOBDxzxmMCbeb6jiPu

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://consumer-img.huawei.com:80/lib/v2/wcp-consent.js

Attributes

access_type
512
host
consumer-img.huawei.com,/lib/v2/wcp-consent.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJKQv1XF4Cmh2xywEarCa/bP0HPP+UFEQJHMOo5NsyVYvAVfHd59D4LmvVhtB6dvdqdkLUunc6NQljbO4D42xMOrFI41rqlbFibjEJQYX58RbZvjS1bhHVKa9XdQIQRpuk3eWO4Pk+iGyM1gHKjyZT+PV5lhUp1aBwAUirc7UnEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/lib/v2/recaptcha__en.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Targets

- Target
  
  xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
- Size
  
  1KB
- MD5
  
  dcf3d59f84590bf4195d3e42d1f229be
- SHA1
  
  f219a6fbb04f2513e109e22269f839121c072fc7
- SHA256
  
  82bf7ba9e947c1dc93032278c52f32b20a026cd05f3195ef08cf9a31be75a5b2
- SHA512
  
  724d3225699af65b645b2c0ed7e8116f5a392c77018acbe2da0901cc76b4341546bf8f629325916fa6980e8054775c7160c6abce58c6c9637e927a2ece769a5c
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
- Size
  
  291B
- MD5
  
  4b0fa4b7a9b2eff999b0cce9e5ac7925
- SHA1
  
  6e0c89d5c77126de53f6fcbee0596c1b5ef9c2a6
- SHA256
  
  3327ee66d0892199aa9eb7917c961b3266a5f90695baa6728c50b0c2ff8a9099
- SHA512
  
  79aca7bf5f180242fd21ad3c9e339b19183c66d1d0343c62c49eba33c246f2e142171e1096b786ba833ae24d98fe57c8b7d960b469a28d9ccc1484e49c1af2f6
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
- Size
  
  4.8MB
- MD5
  
  4e09296529ec9d8fb62fa94049549505
- SHA1
  
  83cf897a176049d629f634aa710962caaa5b509a
- SHA256
  
  e20e39a29c9103203e3414ecd3cee0978e3c25b14bfad7803a39f6052ad00d53
- SHA512
  
  e29fc7dc1d602598c0f5b161fb46bc3e943657aca18173b09b2266bbc031113c5edeebb68126be502fc3d7ec3a98ffd5bf0c0a373a3a8634db0c1b5485329ce4
- SSDEEP
  
  49152:Z9yPOk0SJEyyD1ICggRhIBFtVihl8Tcm8gJ4UBgjnum6lc:FkOp+FtVihHLgJ4UBgr
Score

10^/10

cobaltstrike 100000 backdoor trojan 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral5 behavioral6
- Target
  
  xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
- Size
  
  16KB
- MD5
  
  fe154267585de18c4720ef67c26ba17a
- SHA1
  
  a2839f79014c2cbb610b7e15168e841bf745d237
- SHA256
  
  d7f315ee9327145bcff84eee2341306aea186b768c25c86cacc15c33d87776fb
- SHA512
  
  90d77749804f7f03e4e759d06313360bd0a93a884d133c31f4819666253a479eb25e3d35c54fea260a4d742faa21bcd45369bb92185b23e19d34c1d7ed0ea411
- SSDEEP
  
  384:NuhFHfZTnoE+ibQCbbW0Xjt2Jpu5gRiSltXLcqK1180weK2:NuL/ZTPzz5FSlt4qK1jw+
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Cobaltstrike

Blocklisted process makes network request

Checks computer location settings

Cobaltstrike

Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8