cobaltstrike

Sharing

Copy URL Twitter E-mail

General

Target

a7ad83b26f4ec2b3f42dd4db7d979a87.hta
Size

7KB
Sample

240825-lzgw7syald
MD5

a7ad83b26f4ec2b3f42dd4db7d979a87
SHA1

d643f410e4aa5f17f8a7558a36e6eac4942ef09e
SHA256

2d2e79ecc89830b11ecc30cf9a164e53a87a222d26d46cce373f0feacf07e7b1
SHA512

3299f636790161db1c2fb9bba79b7958b2dfa54a799fdbe3853fc605f49560e334f404395c14dd792f18b08ff85f6fb262cb59f0bed1af11d2643d449e04f749
SSDEEP

192:W9JiHu2IepBfpsvWMa5JnhsN2MW9+cWFA/SBPEzbNljZtphqz2C:Bu2sWMa3yNLcWFA/B37jrphLC

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

1234567890

http://ntkdnj.oy4wvawf.pro:80/functionalStatus/SpSsrJtSGP21e9h7YTLyk9p87TIXIrl61FmTJ5a

Attributes

access_type
512
host
ntkdnj.oy4wvawf.pro,/functionalStatus/SpSsrJtSGP21e9h7YTLyk9p87TIXIrl61FmTJ5a
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAAgAAAAFAAAAAV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBlbgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAAgAAAAFAAAAGmluY2x1ZGVNZWV0aW5nc0lDb29yZ2FuaXplAAAABwAAAAAAAAAIAAAABQAAABNpbmNsdWRlQ29vcmdhbml6ZXJzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
7680
polling_time
28000
port_number
80
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkARJ+n9oRo8sY9mQCamP572Hxg3AMnGIcdTNy/bG4ZPJCbKQR2FeGXsYPL29KLSJEjBW3/5SiPCwdk639V4QjfYyesOWLmjIVt7MeSMaEjPjVZl6WAsiJctT9iQHykdXSaFZSgUOZXQUkIOvz+eLrkQ5iYZIKd5+a+Yc7V36MywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.06174464e+08
unknown2
AAAABAAAAAEAAAAIAAAAAQAAAAgAAAABAAAACgAAAAEAAAAGAAAAAQAAAAsAAAABAAAAIQAAAAEAAABFAAAAAQAAADcAAAABAAAAQwAAAAEAAAAbAAAAAQAAAA8AAAABAAAAGQAAAAEAAAAgAAAAAQAAAEgAAAACAAAAEAAAAAIAAAARAAAAAgAAAAsAAAACAAAAHwAAAAIAAABQAAAAAgAAADwAAAACAAAANgAAAAIAAABFAAAAAgAAACYAAAACAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/rest/2/meetings9WTi1RiLyUd9TFd0V2S5aNlQSsAES5oqCoVCY1Txq
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
watermark
1234567890

Targets

- Target
  
  a7ad83b26f4ec2b3f42dd4db7d979a87.hta
- Size
  
  7KB
- MD5
  
  a7ad83b26f4ec2b3f42dd4db7d979a87
- SHA1
  
  d643f410e4aa5f17f8a7558a36e6eac4942ef09e
- SHA256
  
  2d2e79ecc89830b11ecc30cf9a164e53a87a222d26d46cce373f0feacf07e7b1
- SHA512
  
  3299f636790161db1c2fb9bba79b7958b2dfa54a799fdbe3853fc605f49560e334f404395c14dd792f18b08ff85f6fb262cb59f0bed1af11d2643d449e04f749
- SSDEEP
  
  192:W9JiHu2IepBfpsvWMa5JnhsN2MW9+cWFA/SBPEzbNljZtphqz2C:Bu2sWMa3yNLcWFA/B37jrphLC
Score

10^/10

cobaltstrike 1234567890 backdoor discovery execution trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2