cobaltstrike | 06628a60c43fe5745b9071c233c7e42becdf62ecc49b90b00b5a7a8c7c0f5227

Sharing

Copy URL Twitter E-mail

General

Target

06628a60c43fe5745b9071c233c7e42becdf62ecc49b90b00b5a7a8c7c0f5227
Size

259KB
MD5

22fab4a2176cc5ccd09c605e40414ed0
SHA1

486ac0f9e89de579f40bc56810c862d1d9bfe3cf
SHA256

06628a60c43fe5745b9071c233c7e42becdf62ecc49b90b00b5a7a8c7c0f5227
SHA512

0ebb4068722e38be3912f11307604c712353a28244dadf7c005a91dad9a6fc2023c3c54043c245b9616892674fd3077e40b4dc3ad233678b381e92afacf7ab8a
SSDEEP

6144:PEG8ciDtrGClrjr4OVMvvOJJMmGMmw9IAbBQH/:sQiDtrbxjr1VMvv4JMJMPIAbBm

Score

10^/10

99999 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

99999

http://tmscos.faw-vw.com:443/cosmic-shop/cache/static/index.css

http://211.90.133.161:443/img/flexible/logo/pc/result.svg

Attributes

access_type
512
beacon_type
2048
host
tmscos.faw-vw.com,/cosmic-shop/cache/static/index.css,211.90.133.161,/img/flexible/logo/pc/result.svg
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
10000
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqmsNrb6oQDaRHxwG79cpPI5VgVtChwCO4mmKyPlrpCsz/ZzB2wDCee/DAYUV+ZIrCjfBdZ+6ymyRE683PbzP/Oa0rd8hM3rS8K6XDcFZaCtsG8LFw2FmPJfnKvuaT2Z1WtrMNJj/Ntg18UpnEmvdvK9Oo1NVZZI+Ro+B1RSJ3ewIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/comment/v3/comment/list
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.567.0.120 Safari/537.36 Edg/109.2566.0.54
watermark
99999

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
06628a60c43fe5745b9071c233c7e42becdf62ecc49b90b00b5a7a8c7c0f5227

Files

06628a60c43fe5745b9071c233c7e42becdf62ecc49b90b00b5a7a8c7c0f5227
.dll windows:5 windows x64 arch:x64

75b699ff41c6086060b20466ba2e54ea

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_SYSTEM
IMAGE_FILE_DLL
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

��

��
��
��=��
��
��
��
��
��
��
��
��+��
��+��
��
��
��
��
��p
��`��Â��
��Â��
��
��
��
��
��
��񐭢��
��񅪱��񍦻��
��񍦻��
��
��
��
��É
��É
��
��'��À��
��À��
��
��Ï��È
��È
��
��
��
��
��n��
��
��
��
��
��
��
��f��
��
��
��Û��
��
��񅪱��
��񍦻��
��
��
��
��
��
��
��
��
��
��
��Z��
��i��Z��
��
��
��
��
��
��]��
��4��]��
��
��
��
��
��ô��
��e��ô��
��
��>��
��
��
��a��
��Ï
��
��
��
��
��
��
��
��Ì��
��
��
��
��
��Á
��
��
��
��
��
��
��à��
�� à��
��
��
��L��
��
��
��
��À��Ì��
��Ì��
��Ì��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��j��
��j��
��j��
��
��
��
��x�� à��
��x�� à��
��
��
��ð
��
��
��
��
��
��É��
��Ð��É��
��
��
��
��
��d��
��~
��
��{
��s��{
��Ö��s��{
��

��6

��
��q
��
��
��
��
��W
��
��
��
��
��k

��

ord19
ord4
��
��
ord23
ord115
ord3
ord14
ord9
ord8
ord52
ord15
ord10
ord16
ord22
ord111
ord151
ord1
ord2
ord13
ord18
ord116

Exports

Exports

ExportModules

Sections

��
Size: 174KB - Virtual size: 173KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

��
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

��
Size: 9KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

��
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

��
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

75b699ff41c6086060b20466ba2e54ea

Headers

DLL Characteristics

File Characteristics

Imports

�������������

������������6

�����������

Exports

Exports

Sections

������ Size: 174KB - Virtual size: 173KB

������� Size: 62KB - Virtual size: 62KB

������ Size: 9KB - Virtual size: 52KB

������� Size: 8KB - Virtual size: 8KB

������� Size: 4KB - Virtual size: 3KB

��

��6

��

��
Size: 174KB - Virtual size: 173KB

��
Size: 62KB - Virtual size: 62KB

��
Size: 9KB - Virtual size: 52KB

��
Size: 8KB - Virtual size: 8KB

��
Size: 4KB - Virtual size: 3KB