cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

f8ce6cf58308a2458e0daf482de83cc0a9be4d79f8c6091dd9169c3673d0914e
Size

8.1MB
Sample

240529-fwg5xacd64
MD5

be6f4301187c7bf821f1e09108bc4a5e
SHA1

c69f4039e0e58cefe6e07556d641856d6fe96c9b
SHA256

f8ce6cf58308a2458e0daf482de83cc0a9be4d79f8c6091dd9169c3673d0914e
SHA512

190c08e3b02e0d4b4a29f87db0572d9288e3c3aad8a1a266a16e17c5848cd849453bee56cf501c35792e0d1072f1ae4c10ab05c075cbd911b6c520aaa7bb285d
SSDEEP

196608:A+dqYobvQxj7HrXGTSabchYfH3av5Ab1Wv:A+dqh4xvHurchYfqv5IUv

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://cxk.cz:2083/api/3

Attributes

access_type
512
beacon_type
2048
host
cxk.cz,/api/3
http_header1
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5000
port_number
2083
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl1NJ+bFxsyyI49thSKotqfq4Mr2Qy+3+WMOTRkMv2ihGvKZtup7Wfxma7MLUhG5mzhsySkYk3xe3O+t6EDjRMSiCrTJK0ii1Ld7FdUwd16otdklTi/iBfPoh9VxXullymxt/dbV4IK7cVmAZ3MImBeqBJkDs02318vDCkcHUdHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/4
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
watermark
100000000

Targets

- Target
  
  f8ce6cf58308a2458e0daf482de83cc0a9be4d79f8c6091dd9169c3673d0914e
- Size
  
  8.1MB
- MD5
  
  be6f4301187c7bf821f1e09108bc4a5e
- SHA1
  
  c69f4039e0e58cefe6e07556d641856d6fe96c9b
- SHA256
  
  f8ce6cf58308a2458e0daf482de83cc0a9be4d79f8c6091dd9169c3673d0914e
- SHA512
  
  190c08e3b02e0d4b4a29f87db0572d9288e3c3aad8a1a266a16e17c5848cd849453bee56cf501c35792e0d1072f1ae4c10ab05c075cbd911b6c520aaa7bb285d
- SSDEEP
  
  196608:A+dqYobvQxj7HrXGTSabchYfH3av5Ab1Wv:A+dqh4xvHurchYfqv5IUv
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  15KB
- MD5
  
  d095b082b7c5ba4665d40d9c5042af6d
- SHA1
  
  2220277304af105ca6c56219f56f04e894b28d27
- SHA256
  
  b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
- SHA512
  
  61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
- SSDEEP
  
  192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  50016010fb0d8db2bc4cd258ceb43be5
- SHA1
  
  44ba95ee12e69da72478cf358c93533a9c7a01dc
- SHA256
  
  32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
- SHA512
  
  ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
- SSDEEP
  
  48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10
behavioral7 behavioral8
- Target
  
  flashcenter5.28.exe
- Size
  
  759KB
- MD5
  
  ad7326c447b14ed3d1b620710489eb3a
- SHA1
  
  00e3e3e2feeb04760657ca1f022187adedb76047
- SHA256
  
  866c9a373e73765efdcf00d0ede1fed3704f5f25d8e1d5b109b178f0c96c3074
- SHA512
  
  e67a5c154b92cd87822000ce7f765ab0129a4c15d32206007bf67006c26554f45310aaaf1dd126f5e9aea33bd50d68b390e947616c27edf016c8843d69ecd843
- SSDEEP
  
  12288:EQPthmdbCPjT8uIzKog9w+AhC6HqSp7T4ecuuUPYyoQFjQWT:EQrmOT8uLor3h1U3uuUPRFRT
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral10 behavioral9
- Target
  
  flashnet.exe
- Size
  
  8.4MB
- MD5
  
  632652da7a29386a906ae8939e0d7d74
- SHA1
  
  50936912d479e0285a97686907d30073475fb4e5
- SHA256
  
  e5f64846b1a6e9d3b6d523b84553fa5c38a0c45ef8d6e943f61f23559700aae7
- SHA512
  
  60a500a42ec8a66d8aa1ba7921d857cafebba183d746562ed4e3c035cf02429a51177aeb4049e3dba034f40b2d85dc2391481bc744b09448c9a25d2bfcde1d1a
- SSDEEP
  
  196608:/b4LYfKiqg55q56EXtiXxHnTKGa4jlXOOG1ex1BF2i0Z19:/b4e55KQXxHTNOOG1WBF2i0Z19
Score

9^/10

oss_ak spyware stealer upx
- detect oss ak
  oss ak information detected.
  oss_ak
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12
- Target
  
  uninst.exe
- Size
  
  144KB
- MD5
  
  b6fd6ec91c8f881d919a2175e61b710d
- SHA1
  
  ebfe1b62ba999973c7853b8467b97a6a8f888110
- SHA256
  
  5ebed46a8e90ccc86a648a29cd43b9526c1db2d4e235d7f6f3e740afe8dc8b3f
- SHA512
  
  4c1f75cc71f7dde72f91737216002e3142fa5421b6aa3ff4b93cd161069be8a6ae4f66d462b99acc77ff90cc655a0cdc247f20a101edaddd7aa3475e71edd0f2
- SSDEEP
  
  3072:Sfi3k+oWDBDh1dufmlkggLiEJ9spt294Z3AALPQWv:SfL+oqyNjKQ4XkWv
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  50016010fb0d8db2bc4cd258ceb43be5
- SHA1
  
  44ba95ee12e69da72478cf358c93533a9c7a01dc
- SHA256
  
  32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
- SHA512
  
  ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
- SSDEEP
  
  48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL
Score

3^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

detect oss ak

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16