cobaltstrike | c0a8855eb78770e71182d082e1206dd6b78775985b957a0990fc4db847e84b07 | Triage

Sharing

General

Target

8f310f399aec79a422d85d25e5c5c79d.virus
Size

203KB
Sample

240917-qcn48athlh
MD5

8f310f399aec79a422d85d25e5c5c79d
SHA1

2545b3188c4d270adaa72c187f014ee8275fa978
SHA256

c0a8855eb78770e71182d082e1206dd6b78775985b957a0990fc4db847e84b07
SHA512

25c1bfaedb31537a88b4e7ed5cef90a67a1d660e544357f706f9ffab47f9b1951fb4459142b894ffd7af1ac7d8b80fe5a140bcc5258ae15fc4575eed8bc384e3
SSDEEP

3072:PYaW8qUEflaASmkDs1oo8CUS5D+u73vqQ+z+F62hAxquMfgj5jdU12B5qb:PFHEfoAaDQoo8CUwxTvhU+F66fgVj3

Score

10^/10

cobaltstrike 1 discovery

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://42.192.224.110:8991/pixel

Attributes

access_type
512
beacon_type
2048
host
42.192.224.110,/pixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8991
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk/uVnsVZq6d+I5ULWZRy+HWPJ2uyQ7b5Q4qjFFU/bMPd4I0NGTqDUy2QsDsAsykytwukWkaXgLFG5j5mSmd2vzCYo+x9KrBDdpm26bIls66GJCRkAZW07Rp5yv6yyvYDQXzsDY2suGGiUnWLXR/rPYLis1M54oRfM6YhPqFUiWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER
watermark
1

Targets

- Target
  
  8f310f399aec79a422d85d25e5c5c79d.virus
- Size
  
  203KB
- MD5
  
  8f310f399aec79a422d85d25e5c5c79d
- SHA1
  
  2545b3188c4d270adaa72c187f014ee8275fa978
- SHA256
  
  c0a8855eb78770e71182d082e1206dd6b78775985b957a0990fc4db847e84b07
- SHA512
  
  25c1bfaedb31537a88b4e7ed5cef90a67a1d660e544357f706f9ffab47f9b1951fb4459142b894ffd7af1ac7d8b80fe5a140bcc5258ae15fc4575eed8bc384e3
- SSDEEP
  
  3072:PYaW8qUEflaASmkDs1oo8CUS5D+u73vqQ+z+F62hAxquMfgj5jdU12B5qb:PFHEfoAaDQoo8CUwxTvhU+F66fgVj3
Score

3^/10

discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2