cobaltstrike | f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08

General

Target

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
Size

690KB
MD5

9c161668cc77563a0415c6b0b92bd6ba
SHA1

829a37bac477c316750199819070b56a55749199
SHA256

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08
SHA512

eb0dc6b6832c75de9062f2271d9f678e478721b0426b0a7ed8a0df7fd7ebf573745f6e942c57aebb47076114b06c0490103e948399867b4a3c2e74b3b39d9715
SSDEEP

12288:WalHzyq8D3Pe3I3RsVFPIOXQfEKIdgQBR3P7r9r/+ppppppppppppppppppppppJ:WEazPe42VmfdIdgQBN1q

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.108.173.88:8099/load

Attributes

access_type
512
host
47.108.173.88,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8099
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
2780 AcroRd32.exe
2780 AcroRd32.exe

pid	process
2780	AcroRd32.exe

pid	process
2780	AcroRd32.exe
2780	AcroRd32.exe
2780	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe

description	pid	process	target process
PID 2856 wrote to memory of 2780	2856	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 2856 wrote to memory of 2780	2856	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 2856 wrote to memory of 2780	2856	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 2856 wrote to memory of 2780	2856	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
"C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdf
Filesize
42KB

MD5
d776c75b72ad3c36421709cfd7e323af

SHA1
3a0a709e88ab03fb47d33f60f90ce0baf7ab6fff

SHA256
569629f78789fb257da5fe32e1924c8fcc6da5d2ea1497485c7ca4d18fd3c0e5

SHA512
54437d31026f626020eeba40f09823ba5f214163caae87109484ed7939e0e31f20aaee6b5d05072985accfd2db57a733ab194fb28ef2d9545f93670168f05f27

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
c6e570f0eef685d9d57fb35cc049b43b

SHA1
cea1c7bb04c6f7c9cd359fbbea23c940e352c3f4

SHA256
592f23abceb8c41b2717cb7842d3f4d4918d087d95bec658118b809e570e6e76

SHA512
c7386e545338a9ed3d093068e6ef46fd0cb0c6f455e4395a5ffee509908ed938e0a32ab8730f58d1fc3a28d169a1cc03a2361d66110186b2b3be039bcf13074b

Download Submit
memory/2856-19-0x0000000002FF0000-0x0000000003070000-memory.dmp

Filesize
512KB

Download
memory/2856-21-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download
memory/2856-20-0x0000000002FF0000-0x0000000003070000-memory.dmp

Filesize
512KB

Download
memory/2856-22-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads