cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

aa164b0178d9f57d83a580d6e95dc9ee75228d0cc15e942b18ed73350a9099cb
Size

8.7MB
Sample

240610-nmg3jshf67
MD5

c10a0c5a0439fb53b5aefba8f61f34e3
SHA1

84529872289db4fbf9bec777fcac9037fa1b72f8
SHA256

aa164b0178d9f57d83a580d6e95dc9ee75228d0cc15e942b18ed73350a9099cb
SHA512

2fe9f8b0f5dda7ec1436d79530185b486c80f7011e19fa9b3b113704fd6d1ed17c9e8338891d97fb4f74d8d9e40e6155c9f43f20d2c2c714e91d5cb48eeaad3b
SSDEEP

196608:Y+WyZeg6dqYobvQxj7HrXGTSabchYfH3av5Ab1W2:Y8eg6dqh4xvHurchYfqv5IU2

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://jji.cz:2096/api/3

Attributes

access_type
512
beacon_type
2048
host
jji.cz,/api/3
http_header1
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5000
port_number
2096
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl1NJ+bFxsyyI49thSKotqfq4Mr2Qy+3+WMOTRkMv2ihGvKZtup7Wfxma7MLUhG5mzhsySkYk3xe3O+t6EDjRMSiCrTJK0ii1Ld7FdUwd16otdklTi/iBfPoh9VxXullymxt/dbV4IK7cVmAZ3MImBeqBJkDs02318vDCkcHUdHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/4
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
watermark
100000000

Targets

- Target
  
  aa164b0178d9f57d83a580d6e95dc9ee75228d0cc15e942b18ed73350a9099cb
- Size
  
  8.7MB
- MD5
  
  c10a0c5a0439fb53b5aefba8f61f34e3
- SHA1
  
  84529872289db4fbf9bec777fcac9037fa1b72f8
- SHA256
  
  aa164b0178d9f57d83a580d6e95dc9ee75228d0cc15e942b18ed73350a9099cb
- SHA512
  
  2fe9f8b0f5dda7ec1436d79530185b486c80f7011e19fa9b3b113704fd6d1ed17c9e8338891d97fb4f74d8d9e40e6155c9f43f20d2c2c714e91d5cb48eeaad3b
- SSDEEP
  
  196608:Y+WyZeg6dqYobvQxj7HrXGTSabchYfH3av5Ab1W2:Y8eg6dqh4xvHurchYfqv5IU2
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  15KB
- MD5
  
  d095b082b7c5ba4665d40d9c5042af6d
- SHA1
  
  2220277304af105ca6c56219f56f04e894b28d27
- SHA256
  
  b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
- SHA512
  
  61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
- SSDEEP
  
  192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  50016010fb0d8db2bc4cd258ceb43be5
- SHA1
  
  44ba95ee12e69da72478cf358c93533a9c7a01dc
- SHA256
  
  32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
- SHA512
  
  ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
- SSDEEP
  
  48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10
behavioral7 behavioral8
- Target
  
  flashcenter6.5.exe
- Size
  
  1.8MB
- MD5
  
  3928a7c0102f99b044af736562e5cec3
- SHA1
  
  a12fff66dc6dfa756d81b1a24311737db3962ad2
- SHA256
  
  6dd1e3719bd21e49451547ded14863fb7bb27b67c0b23bd1c9086eb928603f91
- SHA512
  
  6825434a0ffabd57a3c2141ade0a2bbf3d0fb038177b31785208a58e5d9a14644e883225b73522d7460b9e9f12f75d9ec5d8a445ff6bb5f42f7c510d057328b7
- SSDEEP
  
  24576:vA8aig/uNjsQ+CjkXha1Qn6522ROgprNwRCVIH06iy9FMvFRPf:vFap2NjslCQXzoRDISIU6issH
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral10 behavioral9
- Target
  
  flashnet.exe
- Size
  
  8.4MB
- MD5
  
  632652da7a29386a906ae8939e0d7d74
- SHA1
  
  50936912d479e0285a97686907d30073475fb4e5
- SHA256
  
  e5f64846b1a6e9d3b6d523b84553fa5c38a0c45ef8d6e943f61f23559700aae7
- SHA512
  
  60a500a42ec8a66d8aa1ba7921d857cafebba183d746562ed4e3c035cf02429a51177aeb4049e3dba034f40b2d85dc2391481bc744b09448c9a25d2bfcde1d1a
- SSDEEP
  
  196608:/b4LYfKiqg55q56EXtiXxHnTKGa4jlXOOG1ex1BF2i0Z19:/b4e55KQXxHTNOOG1WBF2i0Z19
Score

9^/10

oss_ak spyware stealer upx
- detect oss ak
  oss ak information detected.
  oss_ak
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

detect oss ak

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12