cobaltstrike | e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
Size

6.7MB
MD5

1f971ce59f0f3028434e1220e1f1cc1d
SHA1

f9083bb3e378f2d0b951d8fd90706ab948207b23
SHA256

e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0
SHA512

3feae0bf55b476fda9688c725900299fc45d329e31f6a9ba2323c1ed8e9d39a628e5c222472ee08dec46f8a07d97dd1b615d9d0bc92d836cb20fb3e172d0b09f
SSDEEP

196608:VLdzUjpRwcL2Vmd6+DClOToPVIn+LH/+z3+0XD6AGho:/oVRTL2Vmd6mZTodIn+LH/+zv6A

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://10.128.47.217:447/rN1l

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Loads dropped DLL 4 IoCs

pid	Process
2156	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
2156	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
2156	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
2156	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2156	4656	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe	85
PID 4656 wrote to memory of 2156	4656	e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe	85

C:\Users\Admin\AppData\Local\Temp\e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
"C:\Users\Admin\AppData\Local\Temp\e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe
  "C:\Users\Admin\AppData\Local\Temp\e2201b45db5c401eb4305b5083ad45fdc6f8eef6f90a5075003e2434c54f8bc0.exe"
  2⤵
  - Loads dropped DLL
  PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI46562\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_ctypes.pyd

Filesize
116KB

MD5
b754feac42b118dbeb2d005bcf8036e3

SHA1
c48d63eea9868ed2f071e8baeb8faa7d323b48d9

SHA256
e880e94d0035bcca283a071bd5f18024d247564c2c68f41b381270eae08e1f7c

SHA512
1f6212e63bcfe562dcf611c8bd794318e76f702483cfd039062dddb0356742776d3efce96196b820a7c06208a35f4bb12cfa27996a9dc7d4e549912c9b9cb8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46562\base_library.zip

Filesize
1.0MB

MD5
2c0165a5147d9b884414292041e2614d

SHA1
f3195a681ca1104d1eb99b6278333a91088ec2c9

SHA256
feace063e2e83ddc3cd8821a596121252134b315a018129056a5b150bf732854

SHA512
338e1af639dfcbe3acff472391fc0dd557fb1a287c4c1fe3e9a109423c7838e62d2a04a1a84a9c4c3bc2fa2dfbb45a2936fcab2d205b30699b68e542c77f5602

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46562\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46562\python310.dll

Filesize
4.2MB

MD5
7e45e4d723e4775f6e26628315f370ad

SHA1
76a8104c5d073c6f7619872426d440bcabd18bb9

SHA256
7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882

SHA512
4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

Download Submit
memory/2156-65-0x000002BA16FB0000-0x000002BA16FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads