cobaltstrike

Resubmissions

07-01-2025 19:22

250107-x3kcaavmb1 10

07-01-2025 07:44

250107-jk35sa1mex 10

Sharing

Copy URL

Twitter E-mail

General

Target

1485507e6b61175e2ea04d4866ee932620251b5ce895d78a959b7c4c5a2de18d
Size

1.9MB
Sample

250107-jk35sa1mex
MD5

5332ac75c30c607e4b811a58baaa2069
SHA1

f1bada65a298ab4cf3c34dc9d9d425e4f94fdea2
SHA256

1485507e6b61175e2ea04d4866ee932620251b5ce895d78a959b7c4c5a2de18d
SHA512

e25015ca966a19f41f2330fe1df5ab5fc682f7c1ead6709489a9baa529b6ef629cf90be117090017cd57916e9e8529d57c6fc1e3ed613def4999b222a44a2c0e
SSDEEP

49152:VfaFUi5zWV33HXboEuQuBlWbAjI+CoZc1LaHDcI4CFezOEK:VEU0W1MEeBlW0woZqyYIiOEK

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

http://cs.xiaojingjingaihuifeng.xyz:443/wqerqwersdgfx64.jpg

Attributes

user_agent
Host: cs.xiaojingjingaihuifeng.xyz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

Extracted

Family

cobaltstrike

Botnet

100000000

http://cs.xiaojingjingaihuifeng.xyz:443/sadfasdgdfhsddfguri.jpg

Attributes

access_type
512
beacon_type
2048
host
cs.xiaojingjingaihuifeng.xyz,/sadfasdgdfhsddfguri.jpg
http_header1
AAAAEAAAACJIb3N0OiBjcy54aWFvamluZ2ppbmdhaWh1aWZlbmcueHl6AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACJIb3N0OiBjcy54aWFvamluZ2ppbmdhaWh1aWZlbmcueHl6AAAABwAAAAAAAAAMAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf5Lhsc93XFst27e+QKwAkbHVNFINrwLEaZ+/nntapLmWCUReek3rYBoFPUUP+hWS7Lpm5hzY7EiAVi4ExoB6pRwtidjdNTAp4TT70IKL53VAYfWtGcb7TiMqLqWD5ALdDSGc4WEVshlTu8nnsmDhS3FVU992x5HWK+M+g78sj+QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/asdffdgxcvbbnfgpuri.jpg
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) QQBrowser/6.9.11079.201
watermark
100000000

Targets

- Target
  
  css/1.bat
- Size
  
  66B
- MD5
  
  c644ff75d62bc34a768e47aecdaeceea
- SHA1
  
  5ca202464b346b424c48922b45ea0f0b181409a3
- SHA256
  
  824732ef73db4846b8270f325f2c7d925791d9bdf73ba546f3aa9c5615cabbfc
- SHA512
  
  0eb61811df09f763efc321556b70085dae4b284fb38e21ca62efa7197c47852805ed87277b1e594331755ce318db254e3b7d099abebfa7d5e099f08cf5eff677
Score

1^/10
behavioral1 behavioral2
- Target
  
  css/2.bat
- Size
  
  63B
- MD5
  
  ea98e2e88c2fd4c6c10854fa944892d2
- SHA1
  
  9a359bd5144cb5d96c08f62fe09e963fe1a8cfdd
- SHA256
  
  6f2f005670b10e681d8a2c132917146ad69214018e14a6d850a7592a658f6076
- SHA512
  
  bd70d7666f90517bf4618219097cf7fd889d3849992ade574940def3f73cae3bc89708fa6e952b4b20288c7b08fd285f53ff8ebd75c4efa76b89058fe892fcb5
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
behavioral3 behavioral4
- Target
  
  css/d.bak
- Size
  
  1.8MB
- MD5
  
  2698d20741e70dd169a307778685c083
- SHA1
  
  422a5dcf9e4a52d35d7de830879f3d9417fed263
- SHA256
  
  103398cd38586819bdb93a1d4a95ead155becc718c2ba96764598eafb073d79b
- SHA512
  
  95d1d428f6f18c393fbe1bfe182b16c97728fd55a6c6b9d76fd6f13a1feffc4ddf01d8ee0ad80061e48cdf519eaf0d5e82396b6386bb995c05a7ec430fd55434
- SSDEEP
  
  24576:lSX7P1/EmHZI9KLoYghoHmH7GKjU+oJRQoY3Y5w2FYp4b:lk7ZEmHZdL0KHmyKjuw2t
Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral5 behavioral6
- Target
  
  css/goto.7z
- Size
  
  2.6MB
- MD5
  
  5d994ed0be59ab5f2f0242706b8b3b55
- SHA1
  
  b7787d1050691e9dbc5ef6dadc80c36761ae9697
- SHA256
  
  74533489c6609b07b00e578d98af29dd6250ddd800e5ecf5743cd9af2e2f24f3
- SHA512
  
  86c9e160b7b9015c790254857526aa554a020888383638eb4787a4f700b299cd16e26c08e4dac823be8832274eb3bc74421932e9bb880e44062053fc49f1de27
- SSDEEP
  
  49152:dJp9NvSqm1wFE5eBe0/4tmsHfK99IvS0mmvQDTGJt0P:AqsevwIN9Wn0
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Cobaltstrike family

Writes to the Master Boot Record (MBR)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8