cobaltstrike | 88cfede42188d89c02902431f688fd90b5947eb2155f6b40a1f75f3cfc010e2b

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cobabehttpx86.exe
Size

3.0MB
MD5

e1e8c1f522869f486b89e77c05d45ba3
SHA1

e975b3aa9a1f47ae11d078caf5863c8de272a724
SHA256

7ee3baef75f367c136e7d1a3fb829cb381dd9ad9cc4b3ca46da1dd1c1976e394
SHA512

bbda0dba35cebd32b25e08c2430ce772bdd643a7e7187eed638eea453afae9f33249db93953fb36d2280ac50656612dcf6047553e1162b209263d92e77690628
SSDEEP

49152:qAq5iCl58uwrrZb7/HHN7DHgjLESKfQCbNxt0MiEeg28riYAzcrzUR80ex5dj65R:qAq5iCl58Lrtb7/sgmOURsx5UwQFNQMJ

Score

10^/10

cobaltstrike 305419896 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://195.123.217.12:80/jquery-3.3.1.min.js

Attributes

access_type
512
dns_idle
2.15579587e+08
host
195.123.217.12,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
45000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCT42RZXDkOt4TBaANg7RggQbQZgKIt9JoHuhWGb5HcZdWd3ZmoqFQuFJ53NsjMvGrDkwxGokAV2GaGhCCb1GHK1NigI6uBcokE6seiXhny94nDmEEu4EEdYyFgLrsswJ04NA8tnIQD11iUz7XxzwocHN1161Yj66YCBK61DUomQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cobabehttpx86.exe

C:\Users\Admin\AppData\Local\Temp\cobabehttpx86.exe
"C:\Users\Admin\AppData\Local\Temp\cobabehttpx86.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3604-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3604-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3604-4-0x00000000013B0000-0x00000000013E4000-memory.dmp

Filesize
208KB

Download
memory/3604-6-0x00000000033A0000-0x0000000003812000-memory.dmp

Filesize
4.4MB

Download
memory/3604-7-0x00000000033A0000-0x0000000003812000-memory.dmp

Filesize
4.4MB

Download