cobaltstrike | 80099b0709ed2e997008c1198593fef6b7147bac099c487a7d930c6d3f242bb8 | Triage

Sharing

General

Target

MALWARE-PS.zip
Size

167KB
Sample

240428-allgpaca5w
MD5

6740bbd0b1988940af59bcb287e63d98
SHA1

27e7310016b25b84aed929b5bf1d8a6e976f1558
SHA256

80099b0709ed2e997008c1198593fef6b7147bac099c487a7d930c6d3f242bb8
SHA512

8a2577ee99ada04141dbff0031f82f4cf12714b0b89e1061db0ec59409db8c22f05165ab3c5d0742eec710ebe43164af1aba38e230febb14ae2b8a187b0e656b
SSDEEP

3072:VCY8VAwtkVhjvaZIpBW5YQDzIMX0TY/o3dwliOeV+w1dOGHv4U2D:VCY8Vdmh3pBW3PxX0iwwlreV+mdzQp

Score

10^/10

cobaltstrike 666 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://bellebobas.com:443/gifs/

Attributes

access_type
512
beacon_type
2048
dns_idle
6.7373064e+07
dns_sleep
8.1297408e+08
host
bellebobas.com,/gifs/
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5120
maxdns
235
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\dfrgui.exe
sc_process64
%windir%\sysnative\dfrgui.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaxb4IJ+cn+nbIo0UAWhsGngA5uQImWmV45RX6fH8ISCN93+Rh63Z4Vh2MyxHCoAqJ2pWtyptAbDAxkZQp66O9gDUJSfnJ+LZffG3m66EstIkvj0dPIO0Aiox4KN37itYFtraVXy5B0MVcPLqpkagnmsxuJBWCVQrW/ObJDqw2kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.2384e+09
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/temp/
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
watermark
666

Targets

- Target
  
  malware.ps1
- Size
  
  222KB
- MD5
  
  8eea2778505dda470dfe222fa260a7b7
- SHA1
  
  11f42aa29d576220e9fe69366a7c7f99498eda8c
- SHA256
  
  f306f36cedd08d9e83056f41564a96142611cce5a38882edd13046c402b628d8
- SHA512
  
  a8451d8dd52198290a30d348c1520e740249de8bbb29fa1b2f39829436e0985b5810c323fe0ce7394dc1f00dcd9ea6a0e89651e5b81a92dff17aeab4fa2581e5
- SSDEEP
  
  6144:cUTXaH4di1kb6FFGaKMkWfjkY/9jZDEXNf+jCNUi:cqakbCFFRBbrlEXcCGi
Score

10^/10

cobaltstrike 666 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

666cobaltstrike

behavioral1

cobaltstrike666backdoortrojan

behavioral2

cobaltstrike666backdoortrojan