cobaltstrike | ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
Size

5.4MB
MD5

961498dcc65e20844c81da3073d6c5b3
SHA1

70aab5c916eb0f91ce6ef0ca26654260b423ad79
SHA256

ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28
SHA512

2aac99aea83c5095f7e360e0421e252146f24986ca37580bb8e44427e93a5c2a218e93de3a57db328e75262dbf97cba02651882b10c11eaf8e9070cfadd7faed
SSDEEP

98304:DesmBEbbyX5ICDtPfeE/joXzKzA0xZRdp3zi5u5D41fopr26/Y1C/aYpaT9+Ru:DeDEbGX5ICteEroXGzlxZV3Gu5D4S26U

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://49.232.97.58:80/v1Mi

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

Processes:

ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe

pid	process
4996	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
4996	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
4996	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
4996	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe

description	pid	process	target process
PID 4724 wrote to memory of 4996	4724	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
PID 4724 wrote to memory of 4996	4724	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe	ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe

C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
"C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
"C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"
2⤵
- Loads dropped DLL
PID:4996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47242\VCRUNTIME140.dll
Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_ctypes.pyd
Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\base_library.zip
Filesize
811KB

MD5
a56b791f9bea3e473cba5e44c6332715

SHA1
023abf5acc96041068d8dd626d7d070fdb8b339b

SHA256
b746a06534e17018f9c7eb62240fb1d2ef3927c4fab11828f0fe850becad4e56

SHA512
a7703894f5890178df2255a61c562eaa54661eb7a3b2707ac2443e4f96d72ff6a5f5671777a5570b735a978ef040f9e9aa9b176d51ba48375e065b9dff28b9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
memory/4996-22-0x000002C332680000-0x000002C332681000-memory.dmp

Filesize
4KB

Download