cobaltstrike

General

Target

9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63
Size

112KB
Sample

241120-jxgsbatngs
MD5

a24a496ee060423647b39fe163973f8b
SHA1

8d65edf28117b6f7878aa37313ee71268f3ecd08
SHA256

9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63
SHA512

adf58be25c0d4af04cbf39c320e5532e0bf21e3d4bec387e8a8bd609992688e8ed80705172efadc4e5f53adbdf8eda5fb703598874cabcd8b7a30d7622873a9a
SSDEEP

384:IoXBpcFhrudBbv6Rbl0jWEIZ3a2SD2J9T0GJzH0ZWzw8o99Sjvb99Sjvh:WGbvaWIZOs9TzUZWzE9Sbh9Sb

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://123.58.220.204:8090/NaLa

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://123.58.220.204:8090/ptj

Attributes

access_type
512
host
123.58.220.204,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8090
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvPs2Rhqy5pcJhPzvYTVsz3AnXffmczUjmiXFZkhS10D4Na245G3ccAG6N8ezr+/aypLD/WdVDKTz/kEr/Kjs7avGYZPS3d4P9am5IBElRW2uT+V/eq/TMemQogN52GwrlE/GzBHnNJlGD2JrSyD2fmjhrrmMgrtLYK626iIki0wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)
watermark
987654321

Targets

- Target
  
  9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63
- Size
  
  112KB
- MD5
  
  a24a496ee060423647b39fe163973f8b
- SHA1
  
  8d65edf28117b6f7878aa37313ee71268f3ecd08
- SHA256
  
  9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63
- SHA512
  
  adf58be25c0d4af04cbf39c320e5532e0bf21e3d4bec387e8a8bd609992688e8ed80705172efadc4e5f53adbdf8eda5fb703598874cabcd8b7a30d7622873a9a
- SSDEEP
  
  384:IoXBpcFhrudBbv6Rbl0jWEIZ3a2SD2J9T0GJzH0ZWzw8o99Sjvb99Sjvh:WGbvaWIZOs9TzUZWzE9Sbh9Sb
Score

10^/10

cobaltstrike metasploit 987654321 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Cobaltstrike family

MetaSploit

Metasploit family

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2