cobaltstrike | aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
Size

6.5MB
MD5

df4b967cbd70cf971f039923c3fe3ad1
SHA1

af4814d149fe8c2ee0ebfcbba8ccd7d9d2b82ef6
SHA256

aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24
SHA512

b8fd7137a11b5ff703b3faa8614468bca996a15f3796977d93117e1651d60265ed435d2b2af97a1f80bd4d015b1d3fd80767da58463a0a716d0228145256a25f
SSDEEP

196608:6/aFUmvdsCncW4njQthsiHzPSEM7kAOZJJb4h:vFvaCncbnKhsxL7Md

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.126.233:80/X5Wy

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Loads dropped DLL 5 IoCs

Processes:

aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe

pid	Process
4708	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
4708	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
4708	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
4708	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
4708	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe

description	pid	Process	procid_target
PID 3124 wrote to memory of 4708	3124	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe	83
PID 3124 wrote to memory of 4708	3124	aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe	83

C:\Users\Admin\AppData\Local\Temp\aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
"C:\Users\Admin\AppData\Local\Temp\aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe
  "C:\Users\Admin\AppData\Local\Temp\aa3863c51757c1bbad6a267bb066b131917cd455f33f52219cdc1155a72e1c24.exe"
  2⤵
  - Loads dropped DLL
  PID:4708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI31242\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\_ctypes.pyd

Filesize
116KB

MD5
41a9708af86ae3ebc358e182f67b0fb2

SHA1
accab901e2746f7da03fab8301f81a737b6cc180

SHA256
0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf

SHA512
835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\base_library.zip

Filesize
1.0MB

MD5
aff87482a68af9215a7b62cbda5490af

SHA1
67ac1b9b3903c9010ea18b76c53c73b9bb1923fe

SHA256
88d8c98ea348b66758cc96d6c377c766ed799ac8e83ce091792c27587d8e57b8

SHA512
72ce1af8388209accaa956b2ccdbae0cc57af5f09f1c306e4ab1e63a05e6a0cdbe492ad59aba50aa793482e25bba5b90462258c27c16ebedd0bad0d61d128d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\python310.dll

Filesize
4.2MB

MD5
c6c37b848273e2509a7b25abe8bf2410

SHA1
b27cfbd31336da1e9b1f90e8f649a27154411d03

SHA256
b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8

SHA512
222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/4708-65-0x000001D7B9200000-0x000001D7B9201000-memory.dmp

Filesize
4KB

Download