cobaltstrike | 1664-1-0x000007FEF64B0000-0x000007FEF655C000-memory[.]dmp

Sharing

Copy URL

Twitter E-mail

General

Target

1664-1-0x000007FEF64B0000-0x000007FEF655C000-memory.dmp
Size

688KB
MD5

7d9ac8daf9014556bf62cb84347d7b71
SHA1

38ec24d92510965b4b542ee519091b4d6b076c96
SHA256

25ce0acad6aa1d253844c4509cb6bd289f080d6c6c22b1ec9ca0e92c02729e36
SHA512

70f9470d76115e7e127e74aca6df053f74fd985f1a15a52e1bdd95e8fdb84639f8cccf92857327e7d11ffab456a72b83078a836ea9f0f725d857928a83125640
SSDEEP

12288:4D+rv5FLdReZX0jbIS0wSJSkORCXdpVo2GN:Lrx1dYyjbIpwSTOWfVPy

Score

10^/10

1359593325 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

http://3.208.96.244:80/functionalStatus

Attributes

access_type
512
host
3.208.96.244,/functionalStatus
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAA0AAAAFAAAAAV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBlbgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAA0AAAAFAAAAGmluY2x1ZGVNZWV0aW5nc0lDb29yZ2FuaXplAAAABwAAAAAAAAANAAAABQAAABNpbmNsdWRlQ29vcmdhbml6ZXJzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
6400
polling_time
37000
port_number
80
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmyNkXmmHqSxx58gQ9Be3RGpNCkhza3M5j0q8b8h1YXlQFQrCvtlz5qkInZj0AnfbXS6VmWl+juAYz60kclbpLBjTJliBaEMisK9WkWAT6UGywouI3a8hSfSUwRKRL3QjL2461m8XR4gldNqf9/JO8gFwNGQBnhWwZDtNHYd6S9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.06174464e+08
unknown2
AAAABAAAAAEAAAAIAAAAAQAAAAgAAAABAAAACgAAAAEAAAAGAAAAAQAAAAsAAAABAAAAIQAAAAEAAABFAAAAAQAAADcAAAABAAAAQwAAAAEAAAAbAAAAAQAAAA8AAAABAAAAGQAAAAEAAAAgAAAAAQAAAEgAAAACAAAAEAAAAAIAAAARAAAAAgAAAAsAAAACAAAAHwAAAAIAAABQAAAAAgAAADwAAAACAAAANgAAAAIAAABFAAAAAgAAACYAAAACAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/rest/2/meetings
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
watermark
1359593325

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1664-1-0x000007FEF64B0000-0x000007FEF655C000-memory.dmp

Files

1664-1-0x000007FEF64B0000-0x000007FEF655C000-memory.dmp
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 584KB - Virtual size: 583KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 84KB - Virtual size: 84KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 584KB - Virtual size: 583KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 84KB - Virtual size: 84KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 584KB - Virtual size: 583KB

.reloc
Size: 2KB - Virtual size: 2KB