cobaltstrike

General

Target

2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk
Size

627KB
Sample

250213-rdz4jszjbw
MD5

9dc0bed1bd5aa4be93ea1e1b5c6b939d
SHA1

597ba3a5049c521004a653e6fee8392f75dd3a27
SHA256

877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e
SHA512

a9ae820ad11a55a330a1e51429e2e0f4a517d47945f34e2e294d29adc15d11cfb8d0f53bcddda39afe9bd58e4e7b5edba124f2348e2571a7bd28a6165b90e59c
SSDEEP

12288:FbTIYhan3HgKiMuvfRuo/dXZEIGo02sHJyEysN4KxlN4:FbTIYhanIMuvowXZaTpVysyKXN4

Score

10^/10

cobaltstrike 0 1 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Extracted

Family

cobaltstrike

Botnet

1

C2

http://38.54.88.100:443/ptj

Attributes

access_type
512
beacon_type
2048
host
38.54.88.100,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGojX1gXykofhY6wzw30/n182LSqDWLt20xumnvVNRhUCWMwr7YJG/jKtUt6L0AIawa93GZ4rH1j9Pz3Jb0KmNrnru8JU2s+DhT4fR/kpibOPiqX608219fxjaYi22f5jUg9gZjHQHHl1YzvGJ3+zBOdcOF9itgmFGLNKkc9JCgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
watermark
1

Targets

- Target
  
  2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk
- Size
  
  627KB
- MD5
  
  9dc0bed1bd5aa4be93ea1e1b5c6b939d
- SHA1
  
  597ba3a5049c521004a653e6fee8392f75dd3a27
- SHA256
  
  877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e
- SHA512
  
  a9ae820ad11a55a330a1e51429e2e0f4a517d47945f34e2e294d29adc15d11cfb8d0f53bcddda39afe9bd58e4e7b5edba124f2348e2571a7bd28a6165b90e59c
- SSDEEP
  
  12288:FbTIYhan3HgKiMuvfRuo/dXZEIGo02sHJyEysN4KxlN4:FbTIYhanIMuvowXZaTpVysyKXN4
Score

10^/10

cobaltstrike 0 1 backdoor trojan discovery
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
- Downloads MZ/PE file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Cobaltstrike family

Downloads MZ/PE file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2