cobaltstrike | 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 04:22

Target

7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
Size

11.4MB
MD5

11e447ed88e8332795993110710b2ff7
SHA1

fae4af78e2bb99b1a510d629963b4c551607741a
SHA256

7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8
SHA512

fb8b4243245eb8baaa6022eb479069de8061725d340f63bf06ca4736a15103042446759121ac60ea78b6a563ab4bd28cd88a0730d4c09a85722c84c1f7337ce1
SSDEEP

196608:Jua9H1n4YZUIeeGVJsv6tWKFdu9CY+7f:xyVVJsv6tWKFdu9Cx

Score

10^/10

Family

cobaltstrike

http://154.204.178.211:8031/HuNR

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2036 2236 WerFault.exe 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

pid process

2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

pid process

2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

pid	pid_target	process	target process
2036	2236	WerFault.exe	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

pid	process
2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

pid	process
2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe

description	pid	process	target process
PID 2236 wrote to memory of 2036	2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe	WerFault.exe
PID 2236 wrote to memory of 2036	2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe	WerFault.exe
PID 2236 wrote to memory of 2036	2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe	WerFault.exe
PID 2236 wrote to memory of 2036	2236	7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 344
2⤵
- Program crash
PID:2036

memory/2236-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download