cobaltstrike | 2f3a05d6d6f8112288da101615f749ffd479cd535e1cc665c7851154e79bcab9

Resubmissions

04/12/2024, 11:29

241204-nlnhyayram 10

04/12/2024, 11:07

241204-m8g41atlg1 10

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/12/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13.exe
Size

1.2MB
MD5

c312d68d160ae738bc46bcc4aa0ea97a
SHA1

8572ff2bf304cdbce1498c5d7285cc033148c8d6
SHA256

7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13
SHA512

227fcc214e63e88acb6c435b5bafc63ac7480c1972d0cfaea01353efa9df77293bd0fb8e3e720b57c415e6da0816cb04089bcaf7d832b8b04487c03241d52771
SSDEEP

24576:4cKqReEXbU+xrOtDZnNo1YlBBp5bXf222RYbw+vyVf2Zn:3FR/Q+5WDZNo1+B6RYb0VfQn

Score

10^/10

cobaltstrike 206546002 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

206546002

http://ateliernow.net:443/Dev/v3.84/DB579PI9XE

Attributes

access_type
512
beacon_type
2048
host
ateliernow.net,/Dev/v3.84/DB579PI9XE
http_header1
AAAACgAAADJBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiB0aAAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgZ3ppcAAAAAcAAAAAAAAADwAAAAgAAAACAAAABl9HWGlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACxBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBmcgAAAAoAAAAWQWNjZXB0LUVuY29kaW5nOiBiciwgKgAAAAcAAAAAAAAADwAAAAsAAAAFAAAACV9HVUVaTElLUgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
12288
polling_time
68823
port_number
443
sc_process32
%windir%\syswow64\svchost.exe -k wksvc
sc_process64
%windir%\sysnative\systray.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJzVpu9+f4l/QIUotuiQA+vvxdM3q/XGu77WogAe90LRUknEdoD6YnU32G/ts9dbSwG6HySt7cLn5B3FsomLWjBbssH9e31TihCUvZbK6PRzmLW4SBgZigBWLXZgu7+SwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.141448704e+09
unknown2
AAAABAAAAAEAAASeAAAAAgAABJ4AAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Stop/element/X71JO9M7V
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
watermark
206546002

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13.exe

C:\Users\Admin\AppData\Local\Temp\7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13.exe
"C:\Users\Admin\AppData\Local\Temp\7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000001F70000-0x0000000001FB8000-memory.dmp

Filesize
288KB

Download
memory/2248-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2248-3-0x00000000033E0000-0x0000000003415000-memory.dmp

Filesize
212KB

Download
memory/2248-4-0x0000000003420000-0x00000000034A7000-memory.dmp

Filesize
540KB

Download
memory/2248-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2248-6-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download