cobaltstrike | 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce

General

Target

5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
Size

4.5MB
MD5

6eb0f8cdd3f2708b5fc8bdf2dadca602
SHA1

8e2be55f6ae18e9e091619d632c35f6897784a42
SHA256

5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce
SHA512

6a40ae445e0722e5de5306362904dc663e529c8d69aa9437804476c23de8b37e85ab38ba75404d96062dbc4d79dbd164976aec51b95b7982084fb1b266c2bba5
SSDEEP

98304:/XrHQcsibw8SPLeTtSQo5Z8DERxrfExYzbRKHIrH/92BQ6ZyF:frwcXMHLKy6txWRK+H/926Yy

Score

10^/10

cobaltstrike backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.14.128:443/u6z8

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

pid	Process
412	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
412	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
412	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
412	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	412	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	412	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 412	4220	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe	82
PID 4220 wrote to memory of 412	4220	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe	82
PID 4220 wrote to memory of 412	4220	5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe	82

C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
"C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
  "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 624
    3⤵
    - Program crash
    PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 412 -ip 412
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI42202\Crypto.Cipher._AES.pyd

Filesize
29KB

MD5
3c4ab2e06feb6e4ca1b7a1244055671a

SHA1
a4c3c44b45248b7cf53881e6d8efa8d557e100a9

SHA256
c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

SHA512
7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42202\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_ctypes.pyd

Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42202\base_library.zip

Filesize
717KB

MD5
d6d034e1af968d134b3cc4477b623069

SHA1
6eb0fc22dc6360177956e0884241b94b68f69ee7

SHA256
63f31b4c43a469971854a1d1eae5516f8d0ccdcd3d0566a84b2496c25a28de44

SHA512
e45c32d209ab14a328c843d06958ce0f35c9ef2f52e5e8d47fbd0caa4b89eb3388d03497f973ee73aaf73ee3be3327942a6202a7934d818261c5b29965de94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42202\python34.dll

Filesize
2.6MB

MD5
96f7167b725a27b3bd4766a89c4b4305

SHA1
39a1d7e1648adce5740a1976211724cf87792b9e

SHA256
30ab1713ca7cbbee7227bf50db4d1415654eb81ea0a16134f37dc11a746d9f92

SHA512
3d7ce22c29956f7f1c001ab86298485987d2b1dc5f52d5eb5b7dd21c21d88d00849163f684c01141b77ed387bc32733d26da79cc81a2d01f0d2f5d9ec8c5441a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42202\test.exe.manifest

Filesize
1KB

MD5
0995942e0c238d67de452a3b2c1db5a9

SHA1
ac9fdb353e74a3de2c1024c6d6a068fef7860328

SHA256
4801e45f989133f5dfb453fd3e31ff512043dc89b099b64faf55f78724e7518d

SHA512
e97e43d6d3f14e00835be72e78e3e29a0632a47c4057c3a7340780f6761f6643793c8427d997446a3152a8b2fc5133ea9065b554e2321d216f9f7df34a16a35e

Download Submit
memory/412-25-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/412-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4220-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing