General

  • Target

    2024-05-24_0a81050f2c9942038b27236bd1b8becf_cobalt-strike_cobaltstrike

  • Size

    349KB

  • Sample

    240524-ezkjrsda73

  • MD5

    0a81050f2c9942038b27236bd1b8becf

  • SHA1

    28add56e2ec688ef76f9508bce01d09bca5a6bbe

  • SHA256

    0f03b9c1b7b35f22c6f0fe2a6418e58306fdfc16214756dc052db2d3a2f1b1df

  • SHA512

    7073ff1c18ddf4c9b535c71c1f16d6c5751de11c09e1d43df839207fe0f7d1695fbdb5d4df7f165e670033dbfcc80dee537c62b3fa772b4e31b0c76b0e3ef1f7

  • SSDEEP

    6144:6FQTuDshCaqGc0bPzIpt8ahTw8PHA8itQgRQvOuE:6FUj18L8aS2E/RQv

Malware Config

Extracted

Family

cobaltstrike

Botnet

520

C2

http://183.136.216.35:443/auth/data

http://14.29.98.35:443/auth/data

http://121.32.228.35:443/auth/data

http://119.96.52.35:443/auth/data

http://111.177.3.35:443/auth/data

http://114.80.30.35:443/auth/data

http://119.100.50.35:443/auth/data

http://183.56.138.35:443/auth/data

http://113.113.73.35:443/auth/data

http://220.194.65.35:443/auth/data

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    183.136.216.35,/auth/data,14.29.98.35,/auth/data,121.32.228.35,/auth/data,119.96.52.35,/auth/data,111.177.3.35,/auth/data,114.80.30.35,/auth/data,119.100.50.35,/auth/data,183.56.138.35,/auth/data,113.113.73.35,/auth/data,220.194.65.35,/auth/data

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • polling_time

    10000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPA6CRY/EJOhNXBEiMFIPmA262UwP+bK4hNeLwuLfxfhP14bUalQ6LZlrsy8yG/+Sg8864x7PyCcB2sqgELFQ2E3DfEyeclXj26sBNdCEjpFOuZzu3o0gFJ46a8kW32NoYE4xq8ooPSZo1EHmMqAnV8i7WvljqjqeYIp5HgyPFkQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /auth-server/token

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.35 (KHTML, like Gecko) Chrome/75.0.379.172 Safari/539.35

  • watermark

    520

Targets

    • Target

      2024-05-24_0a81050f2c9942038b27236bd1b8becf_cobalt-strike_cobaltstrike

    • Size

      349KB

    • MD5

      0a81050f2c9942038b27236bd1b8becf

    • SHA1

      28add56e2ec688ef76f9508bce01d09bca5a6bbe

    • SHA256

      0f03b9c1b7b35f22c6f0fe2a6418e58306fdfc16214756dc052db2d3a2f1b1df

    • SHA512

      7073ff1c18ddf4c9b535c71c1f16d6c5751de11c09e1d43df839207fe0f7d1695fbdb5d4df7f165e670033dbfcc80dee537c62b3fa772b4e31b0c76b0e3ef1f7

    • SSDEEP

      6144:6FQTuDshCaqGc0bPzIpt8ahTw8PHA8itQgRQvOuE:6FUj18L8aS2E/RQv

MITRE ATT&CK Matrix

Tasks