cobaltstrike | aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
Size

5.8MB
MD5

10768497c987dce8b6ea442cde8749a9
SHA1

cf26cecc487f4554f8577d6c9b24d76a3993c174
SHA256

aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2
SHA512

1c66c3430866a908afba1227f1616bb6f3356aa510798df92b0c852405d9bc9f6e9258c32f7d2e8e3bb0cc4f2cacca0167bfab81487a3387c1f08158cdaca5f5
SSDEEP

98304:0LNWgGAVE7wRhI3l72Qj1oWBg+uoQs+YX5dfX/Rx+HCITxat9MR:0Qg3VE7wfI9jCgYBYvL+iITxavM

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://47.239.207.143:8888/q4fR

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

pid	Process
5048	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
5048	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
5048	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
5048	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023408-13.dat	upx
behavioral2/memory/5048-17-0x00007FF895C50000-0x00007FF896315000-memory.dmp	upx
behavioral2/files/0x0007000000023400-19.dat	upx
behavioral2/files/0x0007000000023407-23.dat	upx
behavioral2/memory/5048-22-0x00007FF89AFA0000-0x00007FF89AFC5000-memory.dmp	upx
behavioral2/files/0x0007000000023404-32.dat	upx
behavioral2/files/0x0007000000023403-31.dat	upx
behavioral2/files/0x0007000000023402-30.dat	upx
behavioral2/files/0x0007000000023401-29.dat	upx
behavioral2/files/0x00070000000233ff-28.dat	upx
behavioral2/files/0x000700000002340a-27.dat	upx
behavioral2/files/0x0007000000023409-26.dat	upx
behavioral2/files/0x0007000000023406-25.dat	upx
behavioral2/memory/5048-24-0x00007FF89E7C0000-0x00007FF89E7CF000-memory.dmp	upx
behavioral2/memory/5048-36-0x00007FF895C50000-0x00007FF896315000-memory.dmp	upx
behavioral2/memory/5048-37-0x00007FF89AFA0000-0x00007FF89AFC5000-memory.dmp	upx

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 5048	4076	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe	82
PID 4076 wrote to memory of 5048	4076	aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe	82

C:\Users\Admin\AppData\Local\Temp\aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
"C:\Users\Admin\AppData\Local\Temp\aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe
  "C:\Users\Admin\AppData\Local\Temp\aa75cd7b34d75a9c0723a9908d77fa57c370b62c5cad4e7bcce1369620c35fb2.exe"
  2⤵
  - Loads dropped DLL
  PID:5048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI40762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_bz2.pyd

Filesize
48KB

MD5
1ed9198c2af425d9aff53e45827be00c

SHA1
8b7ff64ad747b61e61b6fc134f2ea8d5a440723a

SHA256
d46caff7d03604f57a786ed98fdb2d000115c9d8014da3530cc0befbbf8e87fc

SHA512
de67cf02affc90e2d6f49d630f0779751bc4e5ea79d689a9b68908eb3764fb5240d8352fad8e0ed2eb807ce9265e76d137d6463520dfc14475bc615377b07708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_ctypes.pyd

Filesize
59KB

MD5
57bdc169c362af58a85ef54bc162f756

SHA1
5395ca8a815cd6a4a2ad97d5bef1d56df3df311c

SHA256
31b4b77abef556ef38fdd9fb4261a3b00fc96a53602bbb1cfcc99f0445914bef

SHA512
209ac4498092256e47da1809eab3e8dd0ae2f80c813a49c006b8db5b728e2678012a992ac498b220bea9d24a13f4384125e7ffbc32ee4f91a7bfeac5e226e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_decimal.pyd

Filesize
107KB

MD5
a64bfceba9819f4b196e00ca3f28cdbc

SHA1
47754a3966cc2d662d02d3419800648dad4e0b9f

SHA256
58a91b718328208ffab5e49b1f3a761eaf1b4e1453f496abd41c81bd9f02e3ab

SHA512
a3b2dece665d20d7635ea64d88bad87adf3aa1fc1e7f65ec087ea240191b514ab5e14e566050a80dc32d10913f1e04d46956286f4653ebc4fdd46cf8e5d0f5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_hashlib.pyd

Filesize
35KB

MD5
e98bc8b97467b1ecb395dcb3c638d046

SHA1
3b163cdc6bcbc9abe56408202a088b8ee9021044

SHA256
5f4bc5e360a31f5350414347ec9deac37f119606eca436aa48c23a9adf2068a5

SHA512
202dd05c2c717e796a24a0a760cab75780c2c7ff823f0fe32c7e984d0cd2a7c0fa6c8a1c13bf3e52ccc7aaa4594f0e6f5819a9b6d0599d53d65611c09d1ff622

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_lzma.pyd

Filesize
86KB

MD5
ca9435d2077d007b93706ef504f39b8f

SHA1
dc2b6995ad57ebd9a8d62a4dc76b6b4b77b96876

SHA256
404ceda13ebb6a2faa04a712afb72b5f0fa41cf5e51d77f611fdf801db7db6c7

SHA512
a45e7f2f8e41c1183074603b76df95afff655246700d362f5e235ce356841eae6ece953a467adab4505760e00cbe556f1c2e7f1d73efb5563ee9746c1ee42004

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\_socket.pyd

Filesize
44KB

MD5
8306bf76d7473304d46e7fadb9014f09

SHA1
248c2ff92cfe2eee7a6d19e1208e1c0155194639

SHA256
db9726a564f9d7d2d2f286b1147d3496df34be349dbde79b4eb1751d11ea7ab5

SHA512
fe6bf7491e075d293109f3f58f81b6bd41e0bbef198101db431263f8b66fb292076c0251fff5212f63386491e5d3cbcff721110a652a62cc3da5b52cd7b6e2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\libcrypto-3.dll

Filesize
1.6MB

MD5
d02ff53936e80782f26d5d561c0eb7da

SHA1
bb0bf7e3a5ebcc369f0de80fff0105212595cc70

SHA256
2c7196576fb917f9ba26557391d025a5e09bc12037e3704c5ad22ddf7e9a798c

SHA512
9c38389811b3993d063d574fcd250d8e184010cbf4dd0a3b8cf5dc4ac2e1fdc2f458d48174f7d7a139a7821d8bd19a25ff64324b61850a77b315f068d38a4402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\libffi-8.dll

Filesize
29KB

MD5
0aac034efb1509907c8d580b51ad3c4a

SHA1
d5d69211c79ec30a932d0945e776b8fc4c42e383

SHA256
a174a301f6de532aa75bcae9bb038efa29debcc02e70b283bf87ae54d55a729b

SHA512
417c8c1c5e3d2fdf9af4e7585e4eb47a8ff22cdfda91124885406f04137ead8099b1fd70df293eaa5ea251568aad753fc4cdbe5b83420ae9d11af176901ff6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\python312.dll

Filesize
1.7MB

MD5
f9903018fa087bd628fb11d3236fdd2b

SHA1
e4cc29241692e969b6d8dcb3a0091fa2f6114096

SHA256
900acd5f4d6c2251fb9a9e9e12428f75acec90d3835b16d1a9eaf48a14cf701d

SHA512
c709f770d6fa5b0747e1044d1de8b3082955797ae9f435f658abd8f1cf52d578c8740a158119f916f4058061098f302f06b5eb5699b4e4199877b91914a41bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\select.pyd

Filesize
25KB

MD5
9980eab85625d532100f7b78ab505aa0

SHA1
1d329cb8d646755a0861b10199b5f04d91ddfaf1

SHA256
1dd5b9abbd18890f21b7c7fb15fd1e11b2ae0b48391164cc761bd34d29b0fcc8

SHA512
9196021b2c233d237f6ffed12df8ed5152a58bd709b419e7d6c2d9abb614354957be583948864e25640a7f003954d8e3010adc13402a7f7f94563d19192a8512

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40762\unicodedata.pyd

Filesize
296KB

MD5
8d32264ebc61357dbcfd77617176af96

SHA1
7b4a5dd8015a27e7b1198fb3a9bec0eb5bae74ce

SHA256
8ba0d8ca0607a3eeb5f12e5066bc8703d99fb3af4e399bccc723448785fa4448

SHA512
22883d5b3ad0c7615e4ae0414354ee3e2b77aa3e3dc3d8772d0f57784df32a009cc79a91d00670e9b3c1c989849a3ff18c8062dfa33d3001db1a04a22b53f6e3

Download Submit
memory/5048-17-0x00007FF895C50000-0x00007FF896315000-memory.dmp

Filesize
6.8MB

Download
memory/5048-33-0x000002B94E120000-0x000002B94E121000-memory.dmp

Filesize
4KB

Download
memory/5048-22-0x00007FF89AFA0000-0x00007FF89AFC5000-memory.dmp

Filesize
148KB

Download
memory/5048-24-0x00007FF89E7C0000-0x00007FF89E7CF000-memory.dmp

Filesize
60KB

Download
memory/5048-34-0x000002B94E520000-0x000002B94E920000-memory.dmp

Filesize
4.0MB

Download
memory/5048-35-0x000002B94E920000-0x000002B94E976000-memory.dmp

Filesize
344KB

Download
memory/5048-36-0x00007FF895C50000-0x00007FF896315000-memory.dmp

Filesize
6.8MB

Download
memory/5048-37-0x00007FF89AFA0000-0x00007FF89AFC5000-memory.dmp

Filesize
148KB

Download
memory/5048-41-0x000002B94E920000-0x000002B94E976000-memory.dmp

Filesize
344KB

Download