cobaltstrike | d102da0713f9bacdd51f4de57fed6f784627fc6b6847880c1d8c456de0960e39 | Triage

Sharing

General

Target

d102da0713f9bacdd51f4de57fed6f784627fc6b6847880c1d8c456de0960e39
Size

851KB
Sample

240919-gwfgrathqe
MD5

3600778424ebd63caeb9c9f4dcc379a5
SHA1

ca7c0eea6f030b5b202103ca17732c61763129c4
SHA256

d102da0713f9bacdd51f4de57fed6f784627fc6b6847880c1d8c456de0960e39
SHA512

33cfba08ae0ba28bbba1c5793b3070be7a763080479b39a56f4db90b72b245736b212c194416a882802505bfee7104a1c0e7360b560274e7c4c11089416ec6fe
SSDEEP

12288:YLI/som2uwsU6zsAsqf0X8UgJDN0Nb9P0Dx3g/ussKzUg/uXr5GLpY3yda+z6pfw:YL6gU7XvkqsDp0UKzFuXr5GLe+epfBO

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://47.96.143.9:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
47.96.143.9,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiCXi2enAfUbSymKo7NAw86DmRYV5NVIanYn5yt+4Mla4aWCDEOO3NOWwpF1n0fXSCo97gDGWBTUQxOMSVow+8+h/QuWnWnrCHvc0LOajXnqIIdJF4djOHGJe/F0gr9du5XjGg82R65fgkESOW7uRLYH8T5x9JH1MVS+3pNNUbkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Targets

- Target
  
  ‮xcod.采购意向.scr
- Size
  
  762KB
- MD5
  
  ff42ab9c0226bf0e7ec3c4570ff56306
- SHA1
  
  4203cb13abd29179370420524d9767b287da5d7b
- SHA256
  
  b06e383203e421f8726627694cf13431aa7e8f4c26270ee687548de0488bce22
- SHA512
  
  1a6b7154700e7f1c0da5e266d1cda44f72a0934dcec1a5895d79a906092ada49da4d8580a7f0e992cdfc89517910314ad774a79b36994677dc1cef85d8dc81a2
- SSDEEP
  
  6144:KKv8MuGM08RgAEe/XfMbAt0RAwK7el7nBFRDtPqw+dN6vGZwGdijZ2M:dZucAdPt0RAwKoRDtyw+dN6awMM
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2
- Target
  
  关于八一钢铁2024采购计划.docx
- Size
  
  11KB
- MD5
  
  0e9ba768822ad62403ad09049f0b4a63
- SHA1
  
  95465c4e44659585f75ebcf7f6ceecb217077a37
- SHA256
  
  044ca73c6c156559060a96c53694ade0d9f2ca86b9ecace8cb0e96f66735d5da
- SHA512
  
  837e57cda68703913ccd8d4ad24212d7425290a2a1f158871f908f554ed07d64db02ef92fe4a7506897af249a423a4fd68c6d95528faac853a9148dc8d895d4b
- SSDEEP
  
  192:EgGI8N5wMKAsHrg67XApU53ZGND1BC/f/wlOA6BlwRF8DFeeG2p2EJrmsvAM3JOx:w/zNsHj7XSEpGND10IGBla8heeG1armF
Score

4^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike100000000backdoortrojan

behavioral2

cobaltstrike100000000backdoortrojan

behavioral3

behavioral4