cobaltstrike | 50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca

Analysis

max time kernel
132s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:22

Target

Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
Size

292KB
MD5

9abf8579ed3b6e5d3d43b408509a53db
SHA1

63ee039a478e23a505bc889cc74e7693ebe51891
SHA256

cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
SHA512

878add89cc7fc1d88f66c0704a66c202191382e4206e6e156f5bf0205d9b136d341c38686dc7d4a36615cfc45937841b30bcbc1b1036084bcce2e8501c6903ce
SSDEEP

6144:lV9H07z+CLXF0AYlHsGSD5E4Ck2oh66/px:lzHqtLyAtG0Ck2ozv

Score

10^/10

Family

cobaltstrike

http://217.12.218.46:80/YPbR

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

3 1940 rundll32.exe
6 1940 rundll32.exe
8 1940 rundll32.exe
9 1940 rundll32.exe
10 1940 rundll32.exe
11 1940 rundll32.exe
12 1940 rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\AppData\Local\Temp\C618.tmp.dll,#1
1⤵
- Blocklisted process makes network request
PID:1940

memory/1940-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download