cobaltstrike | 877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e

Analysis

max time kernel
123s
max time network
133s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/02/2025, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe
Size

627KB
MD5

9dc0bed1bd5aa4be93ea1e1b5c6b939d
SHA1

597ba3a5049c521004a653e6fee8392f75dd3a27
SHA256

877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e
SHA512

a9ae820ad11a55a330a1e51429e2e0f4a517d47945f34e2e294d29adc15d11cfb8d0f53bcddda39afe9bd58e4e7b5edba124f2348e2571a7bd28a6165b90e59c
SSDEEP

12288:FbTIYhan3HgKiMuvfRuo/dXZEIGo02sHJyEysN4KxlN4:FbTIYhanIMuvowXZaTpVysyKXN4

Score

10^/10

cobaltstrike 0 1 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Extracted

Family

cobaltstrike

Botnet

http://38.54.88.100:443/ptj

Attributes

access_type
512
beacon_type
2048
host
38.54.88.100,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGojX1gXykofhY6wzw30/n182LSqDWLt20xumnvVNRhUCWMwr7YJG/jKtUt6L0AIawa93GZ4rH1j9Pz3Jb0KmNrnru8JU2s+DhT4fR/kpibOPiqX608219fxjaYi22f5jUg9gZjHQHHl1YzvGJ3+zBOdcOF9itgmFGLNKkc9JCgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2340	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	31
PID 2100 wrote to memory of 2340	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	31
PID 2100 wrote to memory of 2340	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	31
PID 2100 wrote to memory of 2748	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	33
PID 2100 wrote to memory of 2748	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	33
PID 2100 wrote to memory of 2748	2100	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	33
PID 2748 wrote to memory of 2900	2748	cmd.exe	35
PID 2748 wrote to memory of 2900	2748	cmd.exe	35
PID 2748 wrote to memory of 2900	2748	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title è´ªåƒè›‡.ç”Ÿæ»å±€
  2⤵
  PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=80 lines=35
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\mode.com
    mode con cols=80 lines=35
    3⤵
    PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-1-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/2100-0-0x00000000003F0000-0x0000000000455000-memory.dmp

Filesize
404KB

Download
memory/2100-2-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads