cobaltstrike | 0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe
Size

523KB
MD5

fed22c27962b828439a4b1fc8aec0214
SHA1

6c5e14ee3e53dd3a1fe552b11a564d8e4d063572
SHA256

0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f
SHA512

4dc30b2980c394127bcc00d4fafe6d4faa5dd27404fbe2992beaed0f4ae058056137b7a170e0c86adcca5fc7c369193f39f0dcc305d30196ecdd52f05905570d
SSDEEP

6144:6DB3O2FT/JjmbIw2tDcohDUlWdcO43rEhnW5x6HZINlp3WTZsZ1xyysgd0LGhgc:693rTFm69coBkongM6lpGTZayXgm669

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://49.235.206.130:443/FC001/JOHN

Attributes

access_type
512
host
49.235.206.130,/FC001/JOHN
http_header1
AAAAEAAAABhIb3N0OiBmdWNrdW1hbi5nb29nbGUuY24AAAAKAAAAFkNvbm5lY3Rpb246IEtlZWwtQWxpdmUAAAAHAAAAAAAAAAsAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAEAAAABdIb3N0OiBmdWNrdW1hbi5nb29sZS5jbgAAAAoAAAAWQ29ubmVjdGlvbjogS2VlbC1BbGl2ZQAAAAcAAAAAAAAACwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5120
maxdns
255
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/FC002/JOHN-
user_agent
Microsoft Internet Explorer
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe

pid	process
3508	0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe
3508	0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe

C:\Users\Admin\AppData\Local\Temp\0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe
"C:\Users\Admin\AppData\Local\Temp\0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3508-1-0x000001FC54440000-0x000001FC5448C000-memory.dmp

Filesize
304KB

Download
memory/3508-0-0x000001FC543C0000-0x000001FC54400000-memory.dmp

Filesize
256KB

Download
memory/3508-2-0x000001FC54440000-0x000001FC5448C000-memory.dmp

Filesize
304KB

Download