cobaltstrike | 7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72[.]dump[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72.dump.zip
Size

337KB
MD5

e1351d74d42c954975b1e0c24b5723b4
SHA1

24ca58ad3cc4c823dd7bb8c58f31ed73e1040a5c
SHA256

c276d6dda3640eaa681133c07e03de0c85ba07776911edfea172f8afae9bbaf2
SHA512

33f7a74aec3de3624fe7f3171e82be1e3a2a16f1e00ee21ff9da144b69a9a5c8f19e501376a1e4badc5d0d52182fd045d4de141360e2072161a00dbbb875a593
SSDEEP

6144:SQxIRlF876TZo+zwd7nzO7ldX41Q1DnjJ98pjCHplBkhYH/FsfUgETw:9xIRc6i+27nSpZ42VlmAJlaCwkTw

Score

10^/10

99999 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

99999

http://media.jinsixian.cn:443/archive/static/images/common/phone.svg

http://36.249.64.101:443/common/advertisement/Fixed/float/smile.svg

Attributes

access_type
512
beacon_type
2048
host
media.jinsixian.cn,/archive/static/images/common/phone.svg,36.249.64.101,/common/advertisement/Fixed/float/smile.svg
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
10000
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2h6f62bypBz8Ag0JxqYycgQM+rf0Iex3z0ANJMPtzmU8sjXhynjEKRIdAjZ2eH4kSLh1T54Z2qZOwNn2Fzqw9zxDzAhz6UMlTxVuvDCw2iVYn9NW8bAq0+q2OwtwKtzrMZviI8i48h6p/8bcVovFqSCvwfyDXHAT3amy8tIaHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/ca/v1/template
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/151.758.0.84 Safari/537.36 Edg/111.0.1662.35
watermark
99999

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/2bd35e395bb55f35_5324_99344602821825442024

Files

7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72.dump.zip
.zip
win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/08702024a4ce75e1_5324_1296792223825442024
win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/2bd35e395bb55f35_5324_99344602821825442024
.exe windows:6 windows x64 arch:x64

8b11c76bc5d790e0a7cf598f557ad0fe

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

VirtualProtect
Sleep
GetCommandLineA
IsDebuggerPresent
IsProcessorFeaturePresent
GetLastError
SetLastError
GetCurrentThreadId
EncodePointer
DecodePointer
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
GetStdHandle
WriteFile
GetModuleFileNameW
GetProcessHeap
GetFileType
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InitOnceExecuteOnce
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount64
GetEnvironmentStringsW
FreeEnvironmentStringsW
WideCharToMultiByte
RtlUnwindEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetCurrentProcess
TerminateProcess
GetModuleHandleW
EnterCriticalSection
LeaveCriticalSection
HeapFree
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
LoadLibraryExW
OutputDebugStringW
LoadLibraryW
HeapAlloc
HeapReAlloc
GetStringTypeW
HeapSize
LCMapStringEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW

crypt32

CertEnumSystemStore

Sections

.text
Size: 27KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 273KB - Virtual size: 276KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 163KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/4cdebf40ecc1da77_5324_51682862821825442024
win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/67dfd8a9ac0322bc_5396_12784989323825442024
win10_1903_x64_2016_7a5fdc1afaadd9d3673b922c45d65061b0ac01f9ffce6b0aec1126d843561f72_1721630556.memdump/c1bc9431e76c5866_5324_3757254223825442024

Sharing

General

Malware Config

Extracted

Signatures

Files

8b11c76bc5d790e0a7cf598f557ad0fe

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

crypt32

Sections

.text Size: 27KB - Virtual size: 28KB

.rdata Size: 11KB - Virtual size: 12KB

.data Size: 273KB - Virtual size: 276KB

.pdata Size: 2KB - Virtual size: 4KB

.rsrc Size: 163KB - Virtual size: 164KB

.reloc Size: 512B - Virtual size: 1KB

.text
Size: 27KB - Virtual size: 28KB

.rdata
Size: 11KB - Virtual size: 12KB

.data
Size: 273KB - Virtual size: 276KB

.pdata
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 163KB - Virtual size: 164KB

.reloc
Size: 512B - Virtual size: 1KB