cobaltstrike

General

Target

Sample(s).rar
Size

4.5MB
Sample

240529-q2jwssgc5v
MD5

c87ea4243be494d3020a69257a2e3557
SHA1

d97ab87aa9e85b431f1cc66040871ef9fac94b57
SHA256

e915998b69710b88058a9d3f99605250047023d23df72e55419962bb266f764d
SHA512

926b1860897a741c0e22132599e724f58cced638cd02d33846c3a61f5f34bc259c22353b5118bd46a196054c53afad9a3d155fd180c877ee6b025b94fa91199b
SSDEEP

98304:TuCc1e1M/rYklEQQ26hXAc7k6YnVyRuBdtM8G4SLjCYZeP32LfmVpeICL:Tulwm/rVE72gXn46rNlCYy2LMpeIG

Score

10^/10

cobaltstrike 0 100000 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://23.105.197.219:4433/en_US/all.js

Attributes

access_type
512
beacon_type
2048
host
23.105.197.219,/en_US/all.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
4433
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://117.50.187.104:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
117.50.187.104,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLHq61G6ViUj/7MacY3/Gp3/FXLl2AwjzESvjjypyINHaZKA1m/eW9IZJIBg+cF8xVEdNQMoD/JdIlWi5zQIjz+FqxE6OIWuzfZs9QGOWfleMdu5nAmAlG2IxULfOjqx++rH4+EKSyhrNMS3aZvD/5PR+qVxSfA8wP/lh0zha+tQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Targets

- Target
  
  1123.scr.vir
- Size
  
  934KB
- MD5
  
  12ba4d27185e65f3d612f4277a705800
- SHA1
  
  703a75bf3008463d38b1c7d53d4861b0b26a3889
- SHA256
  
  b0f47f32d463c9f25bf1a648bc9b2994bea016540aa6d70f31fc8267ebdb70da
- SHA512
  
  63fcc14bbf6b676b7793c5cc982e063e46f84a709bbade86aa4072679442a3dfedfe60570caa98ee1335aaf28f593f57a5e1a5a2cc7cad9f70d11294036fdf7b
- SSDEEP
  
  12288:oco/eGkp4gMc7NU6FsV3GNYRCMs5P6Bd3X3u:sPkxi66V2iO5P6Bd3X3
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2
- Target
  
  关于执行《集团网络资产评估管理有关事项的通知》.exe.vir
- Size
  
  2.9MB
- MD5
  
  4c7b86cb6d643b821499d77e7ba6a794
- SHA1
  
  ec5ad53b74d61cd071ec9fcb16c532de3ba72eeb
- SHA256
  
  05e24b05aaaab088ccefb6dc1ae8eb529acb90848ddd0e0b528010313e4e98e3
- SHA512
  
  de5a730b73c899033373eedaf593ad656a527fc75826ba112d1011f65abb5ffbfd3e164198ca0285bf60c4af57d9322e30b8d086364113ef1c8e9bf66cf16ff5
- SSDEEP
  
  24576:E1Jjy5tRrJW1IXsbK60wWx/FtU6a+uKhs0aZNFBwcTwBjmnt+INEK:+Ylr++sd39nt+INEK
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4
- Target
  
  阿里巴巴集团招聘部分JD信息2024_修复版本v0.4-Talent.Alibaba-inc.exe.vir
- Size
  
  13.0MB
- MD5
  
  11161c5d673e111e61b8be366b6a1b26
- SHA1
  
  233e2678f1b7f32ee973152a02b925bdc1b1f5c5
- SHA256
  
  e7acf5881bba4d7a0f86bc23c46e35f0600bc0aab9e01bde693cc9336341a597
- SHA512
  
  15e1285476a308d20a5e023a10b6fe26a2f6c49d87206972b042a75e3a5bf3067765531c54e536c2a931d578bdf23504ebcab1a03e10c45c50005a8948b849bd
- SSDEEP
  
  49152:dl6a+jY4evehRlL6HCeZdlubWoCZoxy33C3U7il5st/3Jz/Cl500:u0syX3r7il5sDqnP
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Cobaltstrike

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6