cobaltstrike | 4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19 | Triage

Sharing

General

Target

4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19
Size

881KB
Sample

240925-w5pt4stemb
MD5

4712e23412b1502a347c230dff6202cd
SHA1

2e8c6bebd47b77ad2fa5b0e9a95853655a1ec173
SHA256

4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19
SHA512

acc504c225d1e803a30630fbe2d06be2f9326bd6361aec933186397635219caee68f9a44e827f295362eeb162e3ddd89ee948a33dc2945bd181484b24044885d
SSDEEP

12288:62Ru8fivEvfjuokZOXwe/uAflYC/Ge/iuGuCF2jze5r/TTQYBOA:6Ku8PfKTZOXwe/uAR/quOr1YEOA

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://127.0.0.1:6443/js/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
127.0.0.1,/js/jquery-3.3.1.min.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
3000
port_number
6443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfv7GErTrLbAar7TLZv91390uEtpo/rTpBPlU7eEZx1fNABBJiDs7CwLsIXtajWbvaV6EJmL0oab9eSGPZkGEHGwdgw01inIteAHKOBrzsaYNKClb63wt65/a4I5/v/k0J+uunqPZEej56aPfEB/NwTMN5qBXZ4LMZq38Bmbxj2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/js/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000000

Targets

- Target
  
  4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19
- Size
  
  881KB
- MD5
  
  4712e23412b1502a347c230dff6202cd
- SHA1
  
  2e8c6bebd47b77ad2fa5b0e9a95853655a1ec173
- SHA256
  
  4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19
- SHA512
  
  acc504c225d1e803a30630fbe2d06be2f9326bd6361aec933186397635219caee68f9a44e827f295362eeb162e3ddd89ee948a33dc2945bd181484b24044885d
- SSDEEP
  
  12288:62Ru8fivEvfjuokZOXwe/uAflYC/Ge/iuGuCF2jze5r/TTQYBOA:6Ku8PfKTZOXwe/uAR/quOr1YEOA
Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike100000000backdoordiscoverytrojan

behavioral2

cobaltstrike100000000backdoordiscoverytrojan