Overview

overview

10

Static

static

10

2024-04-25...ke.exe

windows7-x64

10

2024-04-25...ke.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-25_e93cad8c90893dfdb94fe1700dd2a744_cobalt-strike_cobaltstrike

  • Size

    372KB

  • Sample

    240425-jq3ffaha2w

  • MD5

    e93cad8c90893dfdb94fe1700dd2a744

  • SHA1

    f4965174d349c87f6efe152644ef26479e6d27fb

  • SHA256

    e7fce739ac3e9ee266bf405e92367729e6fe42d0389fba584d1ef8032c5f0dfc

  • SHA512

    6fd3760b1f4042aa22006e07f8cc3bc16f343bf61f84a0c21c0e9f229638a689419e08b2de1a7f75466ffec9503b6e76031a032741f0ca0284734dd35bc015b0

  • SSDEEP

    6144:AhJqKG5d1IpMyibgkTZI6jHID90axBXcH/bKdY:G6d6tevoxBBX6OdY

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://service-0xgb0mzs-1317544938.gz.tencentapigw.com.cn:443/api/x

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-0xgb0mzs-1317544938.gz.tencentapigw.com.cn,/api/x

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    1000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTN3bT8NJ0fEKrdSBxYZaEUo+LHW1kw2GMEUQ57BVhsz9BfFMtncyRie6VuHQXiJjB+Qo380pgukMIHbJdnl/ctsiMNQetoFzFjNZomiRgBQK6ne30XZVdi8h5AAeq4bHdhV+SjcvmVZQXT5bqaHeZOxH9iB9CQiR0RuuZZS6I8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/y

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0

  • watermark

    100000000

Targets

    • Target

      2024-04-25_e93cad8c90893dfdb94fe1700dd2a744_cobalt-strike_cobaltstrike

    • Size

      372KB

    • MD5

      e93cad8c90893dfdb94fe1700dd2a744

    • SHA1

      f4965174d349c87f6efe152644ef26479e6d27fb

    • SHA256

      e7fce739ac3e9ee266bf405e92367729e6fe42d0389fba584d1ef8032c5f0dfc

    • SHA512

      6fd3760b1f4042aa22006e07f8cc3bc16f343bf61f84a0c21c0e9f229638a689419e08b2de1a7f75466ffec9503b6e76031a032741f0ca0284734dd35bc015b0

    • SSDEEP

      6144:AhJqKG5d1IpMyibgkTZI6jHID90axBXcH/bKdY:G6d6tevoxBBX6OdY

    Score
    10/10
    cobaltstrike100000000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detects Reflective DLL injection artifacts

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks