Analysis Overview

score

10^/10

SHA256

88c8db0a05c4329187c1d887869ae8786bc912d5b6f9624093ae7b818f42c5d3

Threat Level: Known bad

The file a.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan

Cobaltstrike

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:41

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:41

Reported

2024-06-14 19:44

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Network

Country	Destination	Domain	Proto
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp

Files

memory/2000-0-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2000-1-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:41

Reported

2024-06-14 19:44

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
GB	161.35.168.216:4444		tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	70.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	17.53.126.40.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
GB	161.35.168.216:4444		tcp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	100.58.20.217.in-addr.arpa	udp
IE	52.111.236.22:443		tcp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	197.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	37.56.20.217.in-addr.arpa	udp

Files

memory/3328-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3328-1-0x0000000000400000-0x000000000040C000-memory.dmp

Sample ID	240614-yeb7faxbjm
Target	a.exe
SHA256	88c8db0a05c4329187c1d887869ae8786bc912d5b6f9624093ae7b818f42c5d3
Tags	cobaltstrike backdoor trojan

Malware Analysis Report

2024-08-06 10:27

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files