cobaltstrike | aafb2f6eb47517dc003a17a22c711bfa657907d4d5f6a6c14ca99a8cdbb78f6c | Triage

Sharing

General

Target

aafb2f6eb47517dc003a17a22c711bfa657907d4d5f6a6c14ca99a8cdbb78f6c
Size

8.5MB
Sample

240516-nenkcshh8w
MD5

0df1bb989cbaf377e99c742999737918
SHA1

039ca5ab26e67624d09f7524008c5494bf1f3f67
SHA256

aafb2f6eb47517dc003a17a22c711bfa657907d4d5f6a6c14ca99a8cdbb78f6c
SHA512

29adaa9e57dadb445ca53f16f2b02573ea727263e530df1db974cce2ae96c75bd1a146d1e8ac11edf16ef4023de7134c38c4ca3656efaf1c922af49533f666f0
SSDEEP

49152:U6NWsoEjaAi2v32V+9eNrb/TevO90d7HjmAFd4A64nsfJlNHTqugfFuVdAt0UJD1:7v32ceG0

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://1.13.198.202:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
1.13.198.202,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAJxxGSZQHk3bxMFCDKWSNymfwI/ER4NMAJyIon/AXXBipkFxLKkrpBF4HjEHWp9c1gCKxBbBAurKv7SDM6fRKQELLi3H57ZcIC3WHNQ5kUNBI+sd/Y3lBddj5TnKnvmQgO8XPew3HZAGswL1m4EF8sCDHTTB+PG3g5c+Rdocb7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Targets

- Target
  
  aafb2f6eb47517dc003a17a22c711bfa657907d4d5f6a6c14ca99a8cdbb78f6c
- Size
  
  8.5MB
- MD5
  
  0df1bb989cbaf377e99c742999737918
- SHA1
  
  039ca5ab26e67624d09f7524008c5494bf1f3f67
- SHA256
  
  aafb2f6eb47517dc003a17a22c711bfa657907d4d5f6a6c14ca99a8cdbb78f6c
- SHA512
  
  29adaa9e57dadb445ca53f16f2b02573ea727263e530df1db974cce2ae96c75bd1a146d1e8ac11edf16ef4023de7134c38c4ca3656efaf1c922af49533f666f0
- SSDEEP
  
  49152:U6NWsoEjaAi2v32V+9eNrb/TevO90d7HjmAFd4A64nsfJlNHTqugfFuVdAt0UJD1:7v32ceG0
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike100000000backdoortrojan

behavioral2

cobaltstrike100000000backdoortrojan