cobaltstrike | 1485507e6b61175e2ea04d4866ee932620251b5ce895d78a959b7c4c5a2de18d

Resubmissions

07-01-2025 19:22

250107-x3kcaavmb1 10

07-01-2025 07:44

250107-jk35sa1mex 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

css/d.exe
Size

1.8MB
MD5

2698d20741e70dd169a307778685c083
SHA1

422a5dcf9e4a52d35d7de830879f3d9417fed263
SHA256

103398cd38586819bdb93a1d4a95ead155becc718c2ba96764598eafb073d79b
SHA512

95d1d428f6f18c393fbe1bfe182b16c97728fd55a6c6b9d76fd6f13a1feffc4ddf01d8ee0ad80061e48cdf519eaf0d5e82396b6386bb995c05a7ec430fd55434
SSDEEP

24576:lSX7P1/EmHZI9KLoYghoHmH7GKjU+oJRQoY3Y5w2FYp4b:lk7ZEmHZdL0KHmyKjuw2t

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

http://cs.xiaojingjingaihuifeng.xyz:443/wqerqwersdgfx64.jpg

Attributes

user_agent
Host: cs.xiaojingjingaihuifeng.xyz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

Extracted

Family

cobaltstrike

Botnet

100000000

http://cs.xiaojingjingaihuifeng.xyz:443/sadfasdgdfhsddfguri.jpg

Attributes

access_type
512
beacon_type
2048
host
cs.xiaojingjingaihuifeng.xyz,/sadfasdgdfhsddfguri.jpg
http_header1
AAAAEAAAACJIb3N0OiBjcy54aWFvamluZ2ppbmdhaWh1aWZlbmcueHl6AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACJIb3N0OiBjcy54aWFvamluZ2ppbmdhaWh1aWZlbmcueHl6AAAABwAAAAAAAAAMAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf5Lhsc93XFst27e+QKwAkbHVNFINrwLEaZ+/nntapLmWCUReek3rYBoFPUUP+hWS7Lpm5hzY7EiAVi4ExoB6pRwtidjdNTAp4TT70IKL53VAYfWtGcb7TiMqLqWD5ALdDSGc4WEVshlTu8nnsmDhS3FVU992x5HWK+M+g78sj+QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/asdffdgxcvbbnfgpuri.jpg
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) QQBrowser/6.9.11079.201
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	d.exe

C:\Users\Admin\AppData\Local\Temp\css\d.exe
"C:\Users\Admin\AppData\Local\Temp\css\d.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2908-0-0x000001A77C030000-0x000001A77C031000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x000001A77DC00000-0x000001A77E000000-memory.dmp

Filesize
4.0MB

Download
memory/2908-2-0x000001A77E000000-0x000001A77E04E000-memory.dmp

Filesize
312KB

Download
memory/2908-3-0x000001A77E000000-0x000001A77E04E000-memory.dmp

Filesize
312KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads