cobaltstrike | 0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315

Analysis

max time kernel
133s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 14:51

Target

0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315.exe
Size

14KB
MD5

3d190541758e0f39bbe43700e8445d9f
SHA1

72d168679f3bc5977b7cf8dd81e712bae4c64b83
SHA256

0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315
SHA512

2fc3a2c89325842b3c019fba36fa4389e3312f6ac955939550776319ce017b8480941406c8a7994e9e86a9335bc78927140fec57779b5fcb9d5fd9c32e2478f6
SSDEEP

192:wO8CyIeAUKLeADlDp16N8feKr0h8syciISeKX83e3Q5tfgo7:wvueA/Lv/16+GKlsycVKN3c

Score

10^/10

Family

cobaltstrike

http://3.122.237.166:4443/HEbn

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2096	0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1244	2096	0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:1244
- C:\Users\Admin\AppData\Local\Temp\0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315.exe
  "C:\Users\Admin\AppData\Local\Temp\0abffe828d2eb7e3afd05070cd31f109e85279619df66f536fcd0ad0e42cc315.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2096

memory/1244-1-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1244-0-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download