cobaltstrike | cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 18:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104.exe
Size

560KB
MD5

c85f5b3373300823d221bd1e2a37e01f
SHA1

cfc04aab188681089729cb95578985f683b3bde0
SHA256

cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104
SHA512

38ca3e91832baa150d57b0fbfb855212cb6a17acdb8d355548854c8d4a4d3a083ffe38a3eedd10fcf4cb33b5c50fd18b92dbc10f056f26d798bb067e24d42131
SSDEEP

12288:SjQ5wM/uDESG4TlkYWTf+2dzMe2Kua7MX+r6:S0mnESmYIga7MS6

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://192.168.239.129:17822/en_US/all.js

Attributes

access_type
512
host
192.168.239.129,/en_US/all.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
17822
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDACmrc5Fuixyid7WGWnKJUH/jUz0R3Qrm8sxQf+JL9yD3OJUPewVI3wN5QlEpgl6Hbcd6A00fRl9SDpaSbropmNKepwq+BO4ubW86llxXOR6bd7WXEp8IegFnb6NR+Ju+biW/bv5BcO434b7zaFvgfLm2tfKVorF5bGJHo4suliQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

C:\Users\Admin\AppData\Local\Temp\cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104.exe
"C:\Users\Admin\AppData\Local\Temp\cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104.exe"
1⤵
PID:3304

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

174.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.117.168.52.in-addr.arpa

IN PTR

Response

192.168.239.129:17822

cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104.exe

260 B
5
192.168.239.129:17822

cf7ea5332f210571dd569c443be3271a2a94c98814253aee2d4ddedd87bf6104.exe

260 B
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

174.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

174.117.168.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3304-0-0x000001450E5E0000-0x000001450E620000-memory.dmp

Filesize
256KB

Download
memory/3304-1-0x00007FFECDD10000-0x00007FFECDF05000-memory.dmp

Filesize
2.0MB

Download
memory/3304-2-0x00007FFECDD10000-0x00007FFECDF05000-memory.dmp

Filesize
2.0MB

Download
memory/3304-3-0x00007FFECDD10000-0x00007FFECDF05000-memory.dmp

Filesize
2.0MB

Download
memory/3304-4-0x00007FF6AF6C0000-0x00007FF6AF754000-memory.dmp

Filesize
592KB

Download
memory/3304-6-0x00007FF6AF6C0000-0x00007FF6AF754000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.