Behavioral task
behavioral1
Sample
2024-04-16_99f750b15c273bb888d0bb11c86c0c5c_cobalt-strike_cobaltstrike_havex.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-16_99f750b15c273bb888d0bb11c86c0c5c_cobalt-strike_cobaltstrike_havex.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-16_99f750b15c273bb888d0bb11c86c0c5c_cobalt-strike_cobaltstrike_havex
-
Size
290KB
-
MD5
99f750b15c273bb888d0bb11c86c0c5c
-
SHA1
b97892305ac6353ee218c1d802688913cf6c865f
-
SHA256
6c532be11353a774ff7fc6cc73b631f971f8b5ab587f3200aef5a17740b53421
-
SHA512
8a55fa8a4b9ba516aef5cb57bba7f2697290ee8016be00693ada53544a459d540fefd6769a6976201732dbebecf881f6ebd3947488a1d4d7e74aa8bbd6c3b223
-
SSDEEP
6144:lP7hsJqVG5d1IpMyibgkTZI6jHID90apBXrH/:ljhs3d6tevoxZBXL
Malware Config
Extracted
cobaltstrike
666666
http://10.135.246.179:8086/include/template/isx.php
-
access_type
512
-
host
10.135.246.179,/include/template/isx.php
-
http_header1
AAAACgAAAB5SZWZlcmVyOiBodHRwOi8vd3d3Lmdvb2dsZS5jb20AAAAKAAAAa0FjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzLGVuO3E9MC41AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
500
-
port_number
8086
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLsKDyNbWXC1vdebN+IGKik2TmjTOiBw/iq/HwoaKRYeKMsdpitFzXxAJa3VH7JQaLcz0kQOrItOwtnaPkMTSblDrelDu/444rTJ1Nv3gL11SwvztWubt6oYJjRN2GWphUyuWtatcuvK7DuL6ZaR7fuoprMhH4P2628uSDEC7a5wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.998553344e+09
-
unknown2
AAAABAAAAAEAAAAWAAAAAgAAAIAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/includes/phpmailer/class.pop3.php
-
user_agent
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
-
watermark
666666
Signatures
-
Cobaltstrike family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 2024-04-16_99f750b15c273bb888d0bb11c86c0c5c_cobalt-strike_cobaltstrike_havex
Files
-
2024-04-16_99f750b15c273bb888d0bb11c86c0c5c_cobalt-strike_cobaltstrike_havex.exe windows:6 windows x64 arch:x64
8fd85d5d6ef75c0922887b4bcfb96cd2
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
SizeofResource
HeapCreate
EnumSystemLocalesA
CloseHandle
LoadResource
FindResourceW
HeapAlloc
RtlCaptureContext
PssQuerySnapshot
PssFreeSnapshot
PssCaptureSnapshot
MultiByteToWideChar
LoadLibraryExW
GetProcAddress
FreeLibrary
OpenProcess
GetProcessId
GetLastError
RaiseException
GetTempPathW
GetTempFileNameW
CreateFileW
GetEnvironmentVariableW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
clang_rt.asan_dynamic-x86_64
__asan_unregister_globals
__asan_set_seh_filter
__asan_on_error__dll
__asan_set_error_report_callback
__asan_default_suppressions__dll
__asan_get_shadow_memory_dynamic_address
__asan_register_globals
__asan_default_options__dll
__ubsan_default_options__dll
__asan_should_detect_stack_use_after_return
__sanitizer_cov_pcs_init__dll
__sanitizer_cov_bool_flag_init__dll
__sanitizer_cov_8bit_counters_init__dll
__sanitizer_cov_trace_switch__dll
__sanitizer_cov_trace_pc_indir__dll
__sanitizer_cov_trace_pc_guard_init__dll
__sanitizer_cov_trace_pc_guard__dll
__sanitizer_cov_trace_gep__dll
__sanitizer_cov_trace_div8__dll
__sanitizer_cov_trace_div4__dll
__sanitizer_cov_trace_const_cmp8__dll
__sanitizer_cov_trace_const_cmp4__dll
__sanitizer_cov_trace_const_cmp2__dll
__sanitizer_cov_trace_const_cmp1__dll
__sanitizer_cov_trace_cmp8__dll
__sanitizer_cov_trace_cmp4__dll
__sanitizer_cov_trace_cmp2__dll
__sanitizer_cov_trace_cmp1__dll
__sanitizer_cov_trace_cmp__dll
__sancov_default_options__dll
__sanitizer_malloc_hook__dll
__sanitizer_free_hook__dll
__sanitizer_weak_hook_strstr__dll
__sanitizer_weak_hook_strncmp__dll
__sanitizer_weak_hook_strcmp__dll
__sanitizer_weak_hook_memcmp__dll
__sanitizer_sandbox_on_notify__dll
__sanitizer_report_error_summary__dll
__sanitizer_on_print__dll
__sanitizer_register_weak_function
__asan_get_report_description
__asan_memcpy
vcruntime140
memcpy
wcsstr
strstr
memset
__current_exception_context
__current_exception
__C_specific_handler
vcruntime140_1
__CxxFrameHandler4
api-ms-win-crt-time-l1-1-0
clock
api-ms-win-crt-convert-l1-1-0
atoi
api-ms-win-crt-runtime-l1-1-0
abort
_initterm
_configure_narrow_argv
terminate
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_initialize_narrow_environment
_get_narrow_winmain_command_line
_initterm_e
exit
_exit
_c_exit
api-ms-win-crt-math-l1-1-0
__setusermatherr
api-ms-win-crt-stdio-l1-1-0
__stdio_common_vswprintf_s
_set_fmode
__acrt_iob_func
__p__commode
__stdio_common_vfprintf
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
api-ms-win-crt-heap-l1-1-0
malloc
_set_new_mode
free
calloc
api-ms-win-crt-string-l1-1-0
wcsnlen
wcsncmp
strnlen
wcsncpy_s
wcscpy_s
wmemcpy_s
Sections
.text Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 14KB - Virtual size: 13KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 720B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.WEAK Size: 512B - Virtual size: 280B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.INTR Size: 512B - Virtual size: 16B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 260KB - Virtual size: 260KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 184B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ