cobaltstrike | 9033440bfb88d62a6fec03431166efa6676bd75ec2c44930ebdb919a4ab0cbcb | Triage

Sharing

General

Target

9033440bfb88d62a6fec03431166efa6676bd75ec2c44930ebdb919a4ab0cbcb
Size

2.0MB
Sample

240614-vsjxnazblb
MD5

b57b4446a7f7d2d08a170c840d0a8fac
SHA1

d28354692c19ab2f086e58cacfe243459b7101f2
SHA256

9033440bfb88d62a6fec03431166efa6676bd75ec2c44930ebdb919a4ab0cbcb
SHA512

35aeca6a8eeb2561e1dd110e744495bebd4e3ff8249bfee9a6d6177727d62a202c4ccfe2671328ea9f78df07e024d2e0a27105e678826627cabb6cfb4f06e816
SSDEEP

24576:W8ucD+6Jx3PWU8SDxkyWTzCAIu5yaC+3Zi56Hfmqz1vh:WD6L3PGxCflSo56mqz1

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://www.freephone.store:443/owa/

Attributes

access_type
512
beacon_type
2048
dns_idle
1.34744072e+08
host
www.freephone.store,/owa/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
GET
jitter
5120
maxdns
235
polling_time
30000
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkr1oBvk72T2ayBy7EyNzlGb0rQfBsUfVyHifAkjTXjyGGIqZGqhkMxKPTZ8X2Bz8axr7/86xnA2Q2iciuMAdIAGmnL2oQvwo7DV4asmr30oxuHUTGgxkuoThy1XsDtXoxdTvkP4si8IQoNzExFyBzsoi1UYi/jRzljqJWbLKMPwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/OWA/
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  9033440bfb88d62a6fec03431166efa6676bd75ec2c44930ebdb919a4ab0cbcb
- Size
  
  2.0MB
- MD5
  
  b57b4446a7f7d2d08a170c840d0a8fac
- SHA1
  
  d28354692c19ab2f086e58cacfe243459b7101f2
- SHA256
  
  9033440bfb88d62a6fec03431166efa6676bd75ec2c44930ebdb919a4ab0cbcb
- SHA512
  
  35aeca6a8eeb2561e1dd110e744495bebd4e3ff8249bfee9a6d6177727d62a202c4ccfe2671328ea9f78df07e024d2e0a27105e678826627cabb6cfb4f06e816
- SSDEEP
  
  24576:W8ucD+6Jx3PWU8SDxkyWTzCAIu5yaC+3Zi56Hfmqz1vh:WD6L3PGxCflSo56mqz1
Score

10^/10

cobaltstrike 0 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike0305419896backdoortrojan

behavioral2

cobaltstrike0305419896backdoortrojan