cobaltstrike | c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe
Size

4.4MB
MD5

02aa3f218913553e53da29b3c7f42779
SHA1

52dfb94511d148a74a6d2332139b0a07712ecef0
SHA256

c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf
SHA512

61472721c92d9cf264cf172904a2fb9f2dfbb3e481b83fa695a104ff0489ad56a9a89916c1f1336acdfee7c92ff69f42881c1ab60d7ba626b8467c9a8071cde0
SSDEEP

98304:6hLss/rNSWuNs1C4jE/eZRYyeq1shE9AxMbm+y03Q/mOmuq:Mss/rNos1CIE/3pq11Xi+BNX

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.8.225:8443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
4296	main.exe

Loads dropped DLL 4 IoCs

pid	Process
4296	main.exe
4296	main.exe
4296	main.exe
4296	main.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4296	3268	c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe	84
PID 3268 wrote to memory of 4296	3268	c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe	84

C:\Users\Admin\AppData\Local\Temp\c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe
"C:\Users\Admin\AppData\Local\Temp\c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\onefile_3268_133702185795046535\main.exe
  C:\Users\Admin\AppData\Local\Temp\c43ebfc03a8d099b36e41240ffbf43cb643fbf7c853dbdce9e120d94b57a4caf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
123KB

MD5
8adb1345c717e575e6614e163eb62328

SHA1
f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3

SHA256
65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8

SHA512
0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3268_133702185795046535\main.exe

Filesize
4.4MB

MD5
f0922d4f370353a290ce46514138ced8

SHA1
622a1969035d793b3edae530e78621f4e61fff91

SHA256
be5c6ebdab4a221736cafd1e6cab7aebaa4106d5554825ec0c4c8e62af8a966d

SHA512
bb6079b8031473744e3bfb5d4009c020ff7cdf625ef68d6c595704d9bdc8c132f3facb30c6d91a60d6a46a773ae8ca5649856a8ba5a001987428d3565ef444e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3268_133702185795046535\python38.dll

Filesize
4.0MB

MD5
1f2688b97f9827f1de7dfedb4ad2348c

SHA1
a9650970d38e30835336426f704579e87fcfc892

SHA256
169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc

SHA512
27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3268_133702185795046535\vcruntime140.dll

Filesize
99KB

MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
memory/3268-23-0x00007FF6D35C0000-0x00007FF6D3A5B000-memory.dmp

Filesize
4.6MB

Download
memory/4296-22-0x000001FD5B160000-0x000001FD5B161000-memory.dmp

Filesize
4KB

Download
memory/4296-24-0x00007FF76A630000-0x00007FF76AA9E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads