cobaltstrike | ed1dc052fe73bffabdd6d1c9f91ccb25343cef8d22b613eb513fff04b70ee553 | Triage

Sharing

General

Target

ed1dc052fe73bffabdd6d1c9f91ccb25343cef8d22b613eb513fff04b70ee553
Size

402KB
Sample

241213-dpcwhawrgy
MD5

0102d324d5215411830f24d8c2208ca9
SHA1

391da061df15723b17a1f716626fee84c2e47096
SHA256

ed1dc052fe73bffabdd6d1c9f91ccb25343cef8d22b613eb513fff04b70ee553
SHA512

644fc2e10a5522bea9a7fa694848149907fac504828dfb1eed9f535a6ec00b8813553b062922a5fdaa70febeebf7772225d4854dbd2f4832d7485cff559766ea
SSDEEP

12288:K2Dl4hmlDMlr4fDLfL0ntffffOffffffffffffffffbDrw:KMl4hmlWoEtffffOfffffffffffffffz

Score

10^/10

cobaltstrike 0 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://blue-rice-1d8e.dropboxonline.workers.dev:443/jquery/secrets/OT5N74ZOYE4

Attributes

beacon_type
2048
host
blue-rice-1d8e.dropboxonline.workers.dev,/jquery/secrets/OT5N74ZOYE4
http_header1
AAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uLyosIHRleHQvaHRtbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBqYQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAABAAAAAVSG9zdDogY2RuLmFnd2llcW8uY29tAAAABwAAAAAAAAAPAAAADQAAAAIAAAAeYWZmaWxpYXRlX2lkX0tLRk1LQVk5SlFUWUhSUEg9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAABVBY2NlcHQ6IGFwcGxpY2F0aW9uLyoAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogemgtaGsAAAAKAAAAH0FjY2VwdC1FbmNvZGluZzogaWRlbnRpdHksIGd6aXAAAAAQAAAAFUhvc3Q6IGNkbi5hZ3dpZXFvLmNvbQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACV9VRFBRSk5WRgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
12800
maxdns
255
polling_time
60000
port_number
443
proxy_server
http://172.16.22.222:8080
sc_process32
%windir%\syswow64\Locator.exe
sc_process64
%windir%\sysnative\DevicePairingWizard.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJUZ1H8/nV/iiy1HRg0PojnEjIGT28lyDwd+OEBsR7jbuJUtc5QyGpq2mI7xQO9mXPuGbJwbgseMbSTJ7xEgM3/A2c6lEOafxGn/H7mdlBVnQ+tRRxFDQQeH5ag7hekpq1HVG4XRf8PlLXZdB18JGJAD59SaEvM/YVWcYlCjYG5wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.23213824e+08
unknown2
AAAABAAAAAEAAAOhAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/mails/images/GVULBL22Q
user_agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.0 Safari/537.36
watermark
0

Targets

- Target
  
  ed1dc052fe73bffabdd6d1c9f91ccb25343cef8d22b613eb513fff04b70ee553
- Size
  
  402KB
- MD5
  
  0102d324d5215411830f24d8c2208ca9
- SHA1
  
  391da061df15723b17a1f716626fee84c2e47096
- SHA256
  
  ed1dc052fe73bffabdd6d1c9f91ccb25343cef8d22b613eb513fff04b70ee553
- SHA512
  
  644fc2e10a5522bea9a7fa694848149907fac504828dfb1eed9f535a6ec00b8813553b062922a5fdaa70febeebf7772225d4854dbd2f4832d7485cff559766ea
- SSDEEP
  
  12288:K2Dl4hmlDMlr4fDLfL0ntffffOffffffffffffffffbDrw:KMl4hmlWoEtffffOfffffffffffffffz
Score

10^/10

cobaltstrike 0 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike0backdoordiscoverytrojan

behavioral2

cobaltstrike0backdoordiscoverytrojan