cobaltstrike | e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
Size

8.3MB
MD5

96df6f1ada165bb37a325728adea3295
SHA1

06a1fd8c4d6061e8fd1d90a9630efb7a344edf62
SHA256

e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564
SHA512

ee4985dee1d398314d1c591abffe02faf5c506cbf263eba3dbd23ed0260cf820e6aa08c472a4909dd77f1c556d286836c077f270dbd086286e98450741dae8bb
SSDEEP

196608:WBCTgXMCHGLLc54i1wN+ojXx5nDasqWQ2dTNUGOSEhlcQPzZNP:4CsXMCHWUjAjx5WsqWxTR0HLP

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://124.70.99.224:8093/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 6 IoCs

pid	Process
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
3828	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3828	1364	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe	83
PID 1364 wrote to memory of 3828	1364	e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe	83

C:\Users\Admin\AppData\Local\Temp\e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
"C:\Users\Admin\AppData\Local\Temp\e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe
  "C:\Users\Admin\AppData\Local\Temp\e92428cd1087549e68a396dfda0ddef779c795fabe667ea10ffb170401aab564.exe"
  2⤵
  - Loads dropped DLL
  PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13642\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\base_library.zip

Filesize
1.6MB

MD5
8b2701da48722fd8c9db246a50cb2a1f

SHA1
d2059fc0269c9cbddee4eac8830bb64bb47e8bd5

SHA256
fc53eb0f976232cc91bc7e6e59974d9e42f936759eb766c0350c0c996a5ad4e4

SHA512
c531c8a1e5dd48fd5be57dbd4e017c77453855cd335f03f2cf8bcacc2d2012e30c5fd5f2d3e9fffb3464156298bbe65499bc1c5ee24e3b246042810530d48807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\tinyaes.cp312-win_amd64.pyd

Filesize
54KB

MD5
cb5a1b882f13366d3afd3fe34c4ccedc

SHA1
befc59a8f748ffb1dd7445363b5e1989ff50cb59

SHA256
e4d03b5e5bde196a1e349d71c5faf5d77e4166896fddd6b63eece636c58740b8

SHA512
0f98ed055d0086b8ec223540d820f1c9ca42d6ccaf03d3040f7abf539b3c327802b8585c49a6eff38c7c7018b63dee663a5ba60f778ae55925236dfd492bff5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13642\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/3828-68-0x000001DC91C90000-0x000001DC91C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads