cobaltstrike | 8eadab6b76ee32ea6a6fa8d289f6a9d52f86152e1e920d063dc926f147342d87 | Triage

Sharing

General

Target

8eadab6b76ee32ea6a6fa8d289f6a9d52f86152e1e920d063dc926f147342d87
Size

3.5MB
Sample

240627-mh78haygpr
MD5

68348fd60e013cc3a0973e5f7ab8a163
SHA1

8c007c80a0593a83826b068363c111206aac3456
SHA256

8eadab6b76ee32ea6a6fa8d289f6a9d52f86152e1e920d063dc926f147342d87
SHA512

0c109f0e3c12156fc5ac3c706b1ec2080a81a9a9804ded64a022e31fdf289d0aba0b441073253ed3f2b3295d3787304f68f841e164e8bcd3e4ccf890e132364c
SSDEEP

98304:JI1Aa9sezQlNwOb6aCPHJkobQNlZ2grri1AiL:+CKsezQTLVCPJk5Lp+zL

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://jji.cz:2096/api/3

Attributes

access_type
512
beacon_type
2048
host
jji.cz,/api/3
http_header1
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAAxIb3N0OiBjeGsuY3oAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5000
port_number
2096
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl1NJ+bFxsyyI49thSKotqfq4Mr2Qy+3+WMOTRkMv2ihGvKZtup7Wfxma7MLUhG5mzhsySkYk3xe3O+t6EDjRMSiCrTJK0ii1Ld7FdUwd16otdklTi/iBfPoh9VxXullymxt/dbV4IK7cVmAZ3MImBeqBJkDs02318vDCkcHUdHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/4
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
watermark
100000000

Targets

- Target
  
  8eadab6b76ee32ea6a6fa8d289f6a9d52f86152e1e920d063dc926f147342d87
- Size
  
  3.5MB
- MD5
  
  68348fd60e013cc3a0973e5f7ab8a163
- SHA1
  
  8c007c80a0593a83826b068363c111206aac3456
- SHA256
  
  8eadab6b76ee32ea6a6fa8d289f6a9d52f86152e1e920d063dc926f147342d87
- SHA512
  
  0c109f0e3c12156fc5ac3c706b1ec2080a81a9a9804ded64a022e31fdf289d0aba0b441073253ed3f2b3295d3787304f68f841e164e8bcd3e4ccf890e132364c
- SSDEEP
  
  98304:JI1Aa9sezQlNwOb6aCPHJkobQNlZ2grri1AiL:+CKsezQTLVCPJk5Lp+zL
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cobaltstrike100000000backdoortrojan

behavioral2

cobaltstrike100000000backdoortrojan