cobaltstrike

General

Target

Kuraue.rar
Size

40.3MB
Sample

241122-sa83qasqbz
MD5

9ec5a4281710cc926aa67831ae49a306
SHA1

69e975cbe5d712124741ecf4ef29fb18c92b5fa2
SHA256

523d9fe54d3b79872a41831a12eb1bdaec314fb3449c04460c256a822dbb8940
SHA512

8a5cbf32490e5989a384e183d784570c4e3c0fbd959da2df32cbf70273d2fe22d9897f42fcd373ac8a83f08e7ce4c053a0263366781b398c802ea1ff66bd2586
SSDEEP

786432:M7CrxpA1bYXNjo1i5l98F+BDDN1AEkg2Y1hibDzDA5cAV2ddvGj:M72GaNcM7988gg2Y1P5/yGj

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://101.42.2.218:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
101.42.2.218,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
12800
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4i4awlFJiy8RuC7n1kqpTlzo5TyjHX3j+f4Jtigr1USOy5D+WYVx991hPcUGQsMPDKAwB8OkIGyKN03IMOjKe4XCS6B7Zwl4ntQSrsd6c2R+54SXfAXfCOuvKSq2RNPFdM+XNtriypZMQRfM3LmHSMzbiEN3c2wEFUANBk+E/FwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000

Targets

- Target
  
  Kuraue/047bc92d1dd3edd255f4eb31b42b1f1fbc9ce087096652c7c65fa4b14ba26d9e.exe.vir
- Size
  
  26.1MB
- MD5
  
  170c320c93d35bc45d9e40aade1eed72
- SHA1
  
  ff266e59805b52e2cd34a35ac283cb5ded37cdba
- SHA256
  
  047bc92d1dd3edd255f4eb31b42b1f1fbc9ce087096652c7c65fa4b14ba26d9e
- SHA512
  
  bdcbdaa47313698621fe9f205129a90ae4b3aa0674e0d9d287d633289c30965f5aa0a04227c2856b558df80259d0107e7a11b6c62ab8e62fb03123b876eb9b46
- SSDEEP
  
  786432:1UDKaqzEbgd0AyhNSLsij2dpEh9TZJJXmMA:auanD7IsiqpaZJJJA
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Kuraue/10d901f924e9009c88e2021c8ab55a029743a682df01de2f1fb4227afe8ceb82.exe.vir
- Size
  
  26.2MB
- MD5
  
  c9673017aca2bc1b562ff2a515a8faac
- SHA1
  
  612ae99be6864f5357eedc51e2901e50b8493488
- SHA256
  
  10d901f924e9009c88e2021c8ab55a029743a682df01de2f1fb4227afe8ceb82
- SHA512
  
  0b850010de72d295cda995aafa99f86494575a274b4a59bfb8472770d80933506d91bea906f5a3f9cf7b6dc7732101f1d57113e18f7efebda7d098dea4f84b03
- SSDEEP
  
  393216:YDMTNSG/lVrl3KExL3JzATzC8WfeIRVlFvlQCcv6QaAu5SVDMTNSG/lVrl3KExLu:YyhpKOxk6lFiPvQ6yhpKOxk6lFC
Score

10^/10

discovery evasion trojan
- UAC bypass
  evasion trojan
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  Kuraue/873782499615a3825a38623440408cc78ac6ab38d8e05379aa921b9185df4075.exe.vir
- Size
  
  1.9MB
- MD5
  
  056ccd0b9d7ef99759dc9aa9954ab038
- SHA1
  
  b4b629190a8f97ad06eb14b7448e7eb4770f1b51
- SHA256
  
  873782499615a3825a38623440408cc78ac6ab38d8e05379aa921b9185df4075
- SHA512
  
  566cf007ffa296a73b6529dd1768a8a92d01716a6b61a9c14b2834f420f56dca7554f7979aaf045e65956e2ee3020501b7edb4355ed7a78d26d097b3b8d57390
- SSDEEP
  
  49152:R0y8xS0Lrb/TGvO90d7HjmAFd4A64nsfJm0B02uPc87TTp90SgM4:8TKt
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral5 behavioral6