cobaltstrike | e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274 | Triage

Sharing

General

Target

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
Size

1.4MB
Sample

240524-dfh16aag2x
MD5

5fa12e1523d8a684f524d1a41c06a7a7
SHA1

277d2b8405df0ac7700f0e835e10c1bd1fcf98ee
SHA256

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
SHA512

0017313f16254a566d17e7b306df3f3b70cd23b868dc8501d02e3f084fe204f9ca20189a6e8470391f2b8baf5a89f26d2d97d0799664dbc93f425916c49d0033
SSDEEP

24576:Mcrm44B9NlSN7s+GK5aOQ5I2FfPqVFXp+5HvsMu7X9OrIAKQa8HjJrx91YMZHVSv:HrmnbNUN79naf5RfEp+5HvUhOy34JF9R

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://49.235.206.130:443/FC001/JOHN

Attributes

access_type
512
host
49.235.206.130,/FC001/JOHN
http_header1
AAAAEAAAABhIb3N0OiBmdWNrdW1hbi5nb29nbGUuY24AAAAKAAAAFkNvbm5lY3Rpb246IEtlZWwtQWxpdmUAAAAHAAAAAAAAAAsAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAEAAAABdIb3N0OiBmdWNrdW1hbi5nb29sZS5jbgAAAAoAAAAWQ29ubmVjdGlvbjogS2VlbC1BbGl2ZQAAAAcAAAAAAAAACwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5120
maxdns
255
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/FC002/JOHN-
user_agent
Microsoft Internet Explorer
watermark
305419896

Targets

- Target
  
  e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
- Size
  
  1.4MB
- MD5
  
  5fa12e1523d8a684f524d1a41c06a7a7
- SHA1
  
  277d2b8405df0ac7700f0e835e10c1bd1fcf98ee
- SHA256
  
  e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
- SHA512
  
  0017313f16254a566d17e7b306df3f3b70cd23b868dc8501d02e3f084fe204f9ca20189a6e8470391f2b8baf5a89f26d2d97d0799664dbc93f425916c49d0033
- SSDEEP
  
  24576:Mcrm44B9NlSN7s+GK5aOQ5I2FfPqVFXp+5HvsMu7X9OrIAKQa8HjJrx91YMZHVSv:HrmnbNUN79naf5RfEp+5HvUhOy34JF9R
Score

10^/10

cobaltstrike 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

cobaltstrike305419896backdoortrojan