cobaltstrike | 34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969

General

Target

34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
Size

6.0MB
MD5

e59cea939446d6c203b80eb6487d0705
SHA1

c912d930360ffd2bf5ff8d79834474be94d91849
SHA256

34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969
SHA512

74dbdc05d267bdb8bcb4088d691eae0cc66f508e4f3bdd5b6b43a26e1f435f1a2a571a3f974f2332c615e342b179de6c379807580ab0fe448b8d907a58fb7c07
SSDEEP

98304:gl6sdECBCgVQWJuhswoYv5eOaVczo0Ahd6y0Naxxv8fqDDAx5rlcgVeRWHtw9ust:gl3/CguWJysVYvsO5oyMxxvjDDAx5rl2

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://209.146.125.199:8889/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 6 IoCs

pid	Process
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1124	4768	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	86
PID 4768 wrote to memory of 1124	4768	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	86
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89
PID 1124 wrote to memory of 5060	1124	34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe	89

C:\Users\Admin\AppData\Local\Temp\34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
"C:\Users\Admin\AppData\Local\Temp\34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe
  "C:\Users\Admin\AppData\Local\Temp\34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SYSTEM32\winlogon.exe
    winlogon.exe
    3⤵
    PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\base_library.zip

Filesize
1003KB

MD5
47dda01b3f3799c44a68bc93ed895a47

SHA1
aa2adfb109ea622c9bd46a5493aec49e915ca75b

SHA256
7ffd6a4e7574f52f62285b3e5c3316dd87abb2f0aac7319e3edc32709fd67bf3

SHA512
628554c15dc29f6addd5180697943511d1975a010474b580daeaf430486d71162bd4d70107fc5d623a08e1df10189a9ca894549992845affe703921aa365e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\tinyaes.cp38-win_amd64.pyd

Filesize
31KB

MD5
629f76ef6491d11b06133c37692b04d6

SHA1
a55c64556929bb984906a16c3f3c2d425b0712c9

SHA256
83c3532c4355dfe635df4462da7bd767d8c96bf85cb60f80072cec3cf1da24c1

SHA512
f26dfa24bcc34f1958ce2f96db41f7a02ffed6577d18e07efce6ef89773604c257d709150235367e6b8866c536d679b159a6976037e02d2c8e28d321fd49c395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47682\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
memory/5060-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5060-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5060-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5060-120-0x00000257A20F0000-0x00000257A20F1000-memory.dmp

Filesize
4KB

Download
memory/5060-123-0x00000257A3F90000-0x00000257A4390000-memory.dmp

Filesize
4.0MB

Download
memory/5060-122-0x00000257A4390000-0x00000257A4802000-memory.dmp

Filesize
4.4MB

Download
memory/5060-124-0x00000257A2490000-0x00000257A2492000-memory.dmp

Filesize
8KB

Download
memory/5060-125-0x00000257A3F90000-0x00000257A4390000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing