cobaltstrike | 435ffad45f232947e02f7402da530e577a8ab508fc28ac1508ee12ac416331d3 | Triage

Sharing

General

Target

435ffad45f232947e02f7402da530e577a8ab508fc28ac1508ee12ac416331d3
Size

684KB
Sample

240923-ssdpjazekq
MD5

df70444894454336936326eaa59c7f63
SHA1

8bc20189c411555416fb0652dd5250b182caae96
SHA256

435ffad45f232947e02f7402da530e577a8ab508fc28ac1508ee12ac416331d3
SHA512

0bff8a67f2e36b9bb1d675c310a266dbfee6921eea1a5bb8b7ad5c7080e5511ccd5648cd5f985952d362c04a9070d7b68eb8b2beb4188ae477893b047a902df4
SSDEEP

12288:y8qAWxeUPWunOAz2YzfSCL2LWFmUwb9T6O3yQVPmFIzG/ADp2g9AGlc9QOb7tKJ9:LqFxVzMYHL2LEmUwb9T66FlguG/VgnlT

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://172.245.168.250:14337/jquery-3.3.1.min.js

Attributes

access_type
512
host
172.245.168.250,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
14337
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEReQQCba6gt6TS0vZwVlVwyb8H8I2qFYXcKVSEBal8TPV99UjK/P2HxAu6DbJVdtX375/dtQiX47Uq4hVtW9qazy5SjlFM2voz0xu2tSvdOIzjuDndSQJh+h07V9VU+dGraQpfMMdV9MCa83WlZ//Bg3+HTBXFsGaoIiKyXGDwQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Targets

- Target
  
  msedge_elf.dll
- Size
  
  344KB
- MD5
  
  125009aeec321e9a06bc34a991180716
- SHA1
  
  bddea0e5b93eff93bdff4e0911f16b3a41b33690
- SHA256
  
  246824199ff4cd173785552b21607020956fc4246b2f7e4e8e2d35e5f2dd035c
- SHA512
  
  ad2e8c6180f3c2401c972d2a05216807e6e8f925c612059cc6b4bbbb8cd903570221cf69a05ded3265314f2227aeb3167234dd9f9ebe8628dc37fe3eac2cbd9d
- SSDEEP
  
  6144:qRABOngg9AgRhgfsRACE83z9loFZe8ZN/ADY10mD46QFCEkUP6r8xlP7nFxScHor:OABCAq3uCzmsrKa/iu1UEOh
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  svchost.exe
- Size
  
  833KB
- MD5
  
  9a25c9f4ae1ae0206d0ac670fc26bfb0
- SHA1
  
  ab9e4e3c92a722d0ccec78a5843d99b29d5a65e5
- SHA256
  
  7e78f5183d1539b90445356a7069b0f610d9b8c69c2be228e5952fe807d1791b
- SHA512
  
  ed7c65b387f8a3aeb06a3e06ed6444a928bdaff816391220a633dbbc18b6d8db65e86889ed1ba9e48d8e88dbb3cae4867a7c3a1ff12f473f36f03639a5b711d1
- SSDEEP
  
  24576:oasTmsTDNwvFTDTJZhRK1T+Bda9td41kGZFF:PUYTDTy1be1rFF
Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

cobaltstrike100000000backdoordiscoverytrojan

behavioral4

cobaltstrike100000000backdoordiscoverytrojan