cobaltstrike | 9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63.exe
Size

112KB
MD5

a24a496ee060423647b39fe163973f8b
SHA1

8d65edf28117b6f7878aa37313ee71268f3ecd08
SHA256

9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63
SHA512

adf58be25c0d4af04cbf39c320e5532e0bf21e3d4bec387e8a8bd609992688e8ed80705172efadc4e5f53adbdf8eda5fb703598874cabcd8b7a30d7622873a9a
SSDEEP

384:IoXBpcFhrudBbv6Rbl0jWEIZ3a2SD2J9T0GJzH0ZWzw8o99Sjvb99Sjvh:WGbvaWIZOs9TzUZWzE9Sbh9Sb

Score

10^/10

cobaltstrike metasploit 987654321 backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://123.58.220.204:8090/NaLa

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)

Extracted

Family

cobaltstrike

Botnet

987654321

http://123.58.220.204:8090/ptj

Attributes

access_type
512
host
123.58.220.204,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8090
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvPs2Rhqy5pcJhPzvYTVsz3AnXffmczUjmiXFZkhS10D4Na245G3ccAG6N8ezr+/aypLD/WdVDKTz/kEr/Kjs7avGYZPS3d4P9am5IBElRW2uT+V/eq/TMemQogN52GwrlE/GzBHnNJlGD2JrSyD2fmjhrrmMgrtLYK626iIki0wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)
watermark
987654321

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63.exe

C:\Users\Admin\AppData\Local\Temp\9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63.exe
"C:\Users\Admin\AppData\Local\Temp\9d3f3530e750bd7582bffd208ae3ce4ff54ac7b40d6de73116a385f907c38e63.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3280-0-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3280-1-0x0000000003310000-0x0000000003710000-memory.dmp

Filesize
4.0MB

Download
memory/3280-2-0x0000000003710000-0x0000000003751000-memory.dmp

Filesize
260KB

Download
memory/3280-3-0x0000000003760000-0x0000000003762000-memory.dmp

Filesize
8KB

Download
memory/3280-4-0x0000000003710000-0x0000000003751000-memory.dmp

Filesize
260KB

Download