cobaltstrike

General

Target

0de292dc81b87f87eaf4e46bf8a214d0_NeikiAnalytics.exe
Size

281KB
Sample

240519-wkw3paad46
MD5

0de292dc81b87f87eaf4e46bf8a214d0
SHA1

18ed652ce2842baf38785c521705be46774d2dce
SHA256

a5e658cfdaeaec13ffa9316470dbbb9f7aca10f207abaea1128b8ec0738229df
SHA512

38cc191c8fd0637aaaa7bdc99cabe8647bb9b41d2fd8679a2dfb9e34e4914c2471784ad6d522b03bf04f0ce3a5d70afbbcca7cf09c770257748d2ef545d293bc
SSDEEP

6144:lClUynDl0ze23UM3DAJdZ5K+GlE30hv9:QUwv23o15taJ

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://101.42.26.173:443/jeecg-boot/websocket/e9ca23d68d884d4ebb19d07889727dae

Attributes

access_type
512
beacon_type
2048
host
101.42.26.173,/jeecg-boot/websocket/e9ca23d68d884d4ebb19d07889727dae
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEFByYWdtYTogbm8tY2FjaGUAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAABwAAAAAAAAANAAAAAgAAAAVBTklEPQAAAAIAAAAZX19TZWN1cmUtM1BBUElTSUQ9bm9za2luOwAAAAEAAAAjO0NPTlNFTlQ9WUVTK0NOLnpoLUNOKzIwMjEwOTE3LTA5LTAAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAtUmVmZXJlcjogaHR0cHM6Ly8yMzQuenRjY2xvdWQuY29tLmNuL2dhdGV3YXkvAAAACgAAACNPcmlnaW46IGh0dHBzOi8vMjM0Lnp0Y2Nsb3VkLmNvbS5jbgAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFXNyY2h1c2VyPXRMbWJDQ0ZmWkVnSAAAAAkAAAAQZ3JvdXBuYW1lPUZReG5GdwAAAAcAAAABAAAADQAAAAIAAAAqYWlkXz01MjIwMDU3MDUmYWNjdmVyPTEmc2hvd3R5cGU9ZW1iZWQmdWE9AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
256
polling_time
42000
port_number
443
sc_process32
%windir%\syswow64\spoolsv.exe
sc_process64
%windir%\sysnative\spoolsv.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjxGC7juHBlDj9RIaRMUR79VrPayHx8zm10dO7UeLltGMIYS6djPJDQZx0VxkT+fCMNoIynKvWdYMboLKbsAW2hScJH8haN28VsIbRXCAXMMpi5qbaTgYTqau99keFT+4il7NwpXVG80GDcGhhpXdXzJDPvD1sjQ+efxpu5ifMuQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.785026048e+09
unknown2
AAAABAAAAAEAAAA4AAAAAgAAADcAAAACAAAANwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/sys/auth/sms/loginBySms
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 4.0; Trident/4.0)
watermark
100000000

Targets

- Target
  
  0de292dc81b87f87eaf4e46bf8a214d0_NeikiAnalytics.exe
- Size
  
  281KB
- MD5
  
  0de292dc81b87f87eaf4e46bf8a214d0
- SHA1
  
  18ed652ce2842baf38785c521705be46774d2dce
- SHA256
  
  a5e658cfdaeaec13ffa9316470dbbb9f7aca10f207abaea1128b8ec0738229df
- SHA512
  
  38cc191c8fd0637aaaa7bdc99cabe8647bb9b41d2fd8679a2dfb9e34e4914c2471784ad6d522b03bf04f0ce3a5d70afbbcca7cf09c770257748d2ef545d293bc
- SSDEEP
  
  6144:lClUynDl0ze23UM3DAJdZ5K+GlE30hv9:QUwv23o15taJ
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2