cobaltstrike

General

Target

32.exe
Size

278KB
Sample

240425-3pyweagc3y
MD5

b553b7bec9da3b7d38c8a2e5a5a94207
SHA1

44460b10d136a99d445121223e904c9f8732f751
SHA256

514d2767a36d3abe2d368e60adae95341a7371c99cee523c5632a72a03781ebf
SHA512

71bfd33ba08c386c788be911c23d14ad8597e8423d576a94c0e765c1598ece07a04cd68c4dcae91508ba14777650e2e2b0320cc2bef57dbb92aecb8fceb4bfa3
SSDEEP

3072:vRyGwUbWGF7dhjhjyDOb+I/QEPuCDFF/mpVHmp4QKnkdy31elkhhxv:vRjZbWmNyDOb+IxP7j/uMKeuUsx

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://118.89.80.111:2211/updates

Attributes

access_type
512
host
118.89.80.111,/updates
http_header1
AAAABwAAAAAAAAALAAAAAgAAAAV1c2VyPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABJBY2NlcHQ6IHRleHQvcGxhaW4AAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tdXMAAAAKAAAAG0FjY2VwdC1FbmNvZGluZzogdGV4dC9wbGFpbgAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAAAAAAgAAAAFAAAAAmlkAAAABwAAAAEAAAADAAAAAgAAADsmb3A9MSZpZD12eGV5a1MmdWk9Sm9zaCBAClBDJnd2PTExJmdyPWJhY2tvZmYmYnY9MS41NSZkYXRhPQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5000
port_number
2211
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvAHQoUWtBEt4DYUsXllmXe03JefRmQGnbjonT8WGFIUMOpr6H63zpDkOYTbG/Hk/Kii2n7TiCMam1Fa2Eg0O3QAK3oqaAAkdTVu1kIw6K65NmReeq1f/GN0EX2bcu0S/Q+2Ir7kCyY4Ditt8sZ8moTKNN2ar0MRhfCMQeSH7v8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/aircanada/dark.php
user_agent
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
watermark
100000

Targets

- Target
  
  32.exe
- Size
  
  278KB
- MD5
  
  b553b7bec9da3b7d38c8a2e5a5a94207
- SHA1
  
  44460b10d136a99d445121223e904c9f8732f751
- SHA256
  
  514d2767a36d3abe2d368e60adae95341a7371c99cee523c5632a72a03781ebf
- SHA512
  
  71bfd33ba08c386c788be911c23d14ad8597e8423d576a94c0e765c1598ece07a04cd68c4dcae91508ba14777650e2e2b0320cc2bef57dbb92aecb8fceb4bfa3
- SSDEEP
  
  3072:vRyGwUbWGF7dhjhjyDOb+I/QEPuCDFF/mpVHmp4QKnkdy31elkhhxv:vRjZbWmNyDOb+IxP7j/uMKeuUsx
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2