cobaltstrike | deeef7ab3c62138c84d424b23623dee9a863f926a6ef7fffef951aa82c8c9d91 | Triage

Sharing

General

Target

关于八一钢铁2024采购计划.zip
Size

873KB
Sample

240924-c1dfqswfka
MD5

aa32968b0cfdd5e12ac44eb805a8ea67
SHA1

9989b27bb04e68d70cae98828581be69aac8bf42
SHA256

deeef7ab3c62138c84d424b23623dee9a863f926a6ef7fffef951aa82c8c9d91
SHA512

15c9b8fe9ecd1dbc54cbe617455d710c3c9897740d86cfd3b643807e698822cd0de0c59601451fee6f769d5309aedb33be2b45aeccf3a757dd8bb0a13deef248
SSDEEP

24576:135FEyUFm81/UryzQgudILEZ5O4jsI8pdt7xQla:13U/UGQgudILBpI8pdt2a

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://47.96.143.9:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
47.96.143.9,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiCXi2enAfUbSymKo7NAw86DmRYV5NVIanYn5yt+4Mla4aWCDEOO3NOWwpF1n0fXSCo97gDGWBTUQxOMSVow+8+h/QuWnWnrCHvc0LOajXnqIIdJF4djOHGJe/F0gr9du5XjGg82R65fgkESOW7uRLYH8T5x9JH1MVS+3pNNUbkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Targets

- Target
  
  关于八一钢铁2024采购计划/main.txt
- Size
  
  1.1MB
- MD5
  
  7c97b1d468e4dfa2b030fccade1254da
- SHA1
  
  f13530abb95111bed6c31b0b0ff48deac209f359
- SHA256
  
  15624ea0f2b58e83bd5e6ddb4eb98fa226fd893f4d9c07be71243f1d3b2d185f
- SHA512
  
  64ea32763e88d1845fef65606ca70377a26d0174e5c6fa008ae692969ba02cc63123e30ebc81b6e34424e8cf6add4346281f24a6b34bea5cc33d07d195ed3457
- SSDEEP
  
  24576:tBWE2GWvd3pOq51/2SyazTGtTbnlV1OmN9mpio1yPJVjH:p2LOq519GNPRuoo1yPPH
Score

1^/10
behavioral1 behavioral2
- Target
  
  关于八一钢铁2024采购计划/‮xcod.采购意向.scr
- Size
  
  762KB
- MD5
  
  ff42ab9c0226bf0e7ec3c4570ff56306
- SHA1
  
  4203cb13abd29179370420524d9767b287da5d7b
- SHA256
  
  b06e383203e421f8726627694cf13431aa7e8f4c26270ee687548de0488bce22
- SHA512
  
  1a6b7154700e7f1c0da5e266d1cda44f72a0934dcec1a5895d79a906092ada49da4d8580a7f0e992cdfc89517910314ad774a79b36994677dc1cef85d8dc81a2
- SSDEEP
  
  6144:KKv8MuGM08RgAEe/XfMbAt0RAwK7el7nBFRDtPqw+dN6vGZwGdijZ2M:dZucAdPt0RAwKoRDtyw+dN6awMM
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4
- Target
  
  关于八一钢铁2024采购计划/关于八一钢铁2024采购计划.docx
- Size
  
  11KB
- MD5
  
  0e9ba768822ad62403ad09049f0b4a63
- SHA1
  
  95465c4e44659585f75ebcf7f6ceecb217077a37
- SHA256
  
  044ca73c6c156559060a96c53694ade0d9f2ca86b9ecace8cb0e96f66735d5da
- SHA512
  
  837e57cda68703913ccd8d4ad24212d7425290a2a1f158871f908f554ed07d64db02ef92fe4a7506897af249a423a4fd68c6d95528faac853a9148dc8d895d4b
- SSDEEP
  
  192:EgGI8N5wMKAsHrg67XApU53ZGND1BC/f/wlOA6BlwRF8DFeeG2p2EJrmsvAM3JOx:w/zNsHj7XSEpGND10IGBla8heeG1armF
Score

4^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

cobaltstrike100000000backdoortrojan

behavioral4

cobaltstrike100000000backdoortrojan

behavioral5

behavioral6