cobaltstrike | 34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969

General

Target

TelegramDesktop.exe
Size

6.0MB
MD5

e59cea939446d6c203b80eb6487d0705
SHA1

c912d930360ffd2bf5ff8d79834474be94d91849
SHA256

34e30b18fd4482861916227495ef07e817252cc74571e9eb081e71c07118e969
SHA512

74dbdc05d267bdb8bcb4088d691eae0cc66f508e4f3bdd5b6b43a26e1f435f1a2a571a3f974f2332c615e342b179de6c379807580ab0fe448b8d907a58fb7c07
SSDEEP

98304:gl6sdECBCgVQWJuhswoYv5eOaVczo0Ahd6y0Naxxv8fqDDAx5rlcgVeRWHtw9ust:gl3/CguWJysVYvsO5oyMxxvjDDAx5rl2

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://209.146.125.199:8889/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 6 IoCs

pid	Process
4932	TelegramDesktop.exe
4932	TelegramDesktop.exe
4932	TelegramDesktop.exe
4932	TelegramDesktop.exe
4932	TelegramDesktop.exe
4932	TelegramDesktop.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 3156	4932	TelegramDesktop.exe	84

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4932	1028	TelegramDesktop.exe	83
PID 1028 wrote to memory of 4932	1028	TelegramDesktop.exe	83
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84
PID 4932 wrote to memory of 3156	4932	TelegramDesktop.exe	84

C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SYSTEM32\winlogon.exe
    winlogon.exe
    3⤵
    PID:3156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\base_library.zip

Filesize
1003KB

MD5
47dda01b3f3799c44a68bc93ed895a47

SHA1
aa2adfb109ea622c9bd46a5493aec49e915ca75b

SHA256
7ffd6a4e7574f52f62285b3e5c3316dd87abb2f0aac7319e3edc32709fd67bf3

SHA512
628554c15dc29f6addd5180697943511d1975a010474b580daeaf430486d71162bd4d70107fc5d623a08e1df10189a9ca894549992845affe703921aa365e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\tinyaes.cp38-win_amd64.pyd

Filesize
31KB

MD5
629f76ef6491d11b06133c37692b04d6

SHA1
a55c64556929bb984906a16c3f3c2d425b0712c9

SHA256
83c3532c4355dfe635df4462da7bd767d8c96bf85cb60f80072cec3cf1da24c1

SHA512
f26dfa24bcc34f1958ce2f96db41f7a02ffed6577d18e07efce6ef89773604c257d709150235367e6b8866c536d679b159a6976037e02d2c8e28d321fd49c395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
memory/3156-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3156-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3156-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3156-119-0x00000221B2400000-0x00000221B2401000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing