General
-
Target
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
Size
192KB
-
Sample
201111-xe8bdezcln
-
MD5
eafe3d601bb4f8581b0af53d6f0c19dd
-
SHA1
d9d7a9f7dd9f46f6a258d94f210c690a3c68efa2
-
SHA256
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
SHA512
543eeebf7024f4ee27a966599439f62df965438bb70cccb6bcdda314d6091331fd21ab07e16a15667b9ca24310ffa9848466f5b2e8abf6e2b4ef88c5ff1e225e
Static task
static1
Behavioral task
behavioral1
Sample
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1.dll
Resource
win10v20201028
Malware Config
Extracted
cobaltstrike
http://upgrade-services.com:9080/include/template/isx.php
-
host
upgrade-services.com,/include/template/isx.php
-
http_header1
AAAACgAAAB5SZWZlcmVyOiBodHRwOi8vd3d3Lmdvb2dsZS5jb20AAAAKAAAAa0FjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzLGVuO3E9MC41AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
3
-
port_number
9080
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW9hcxy5UADTH4ZChcg4H0L2Iab+4+0BRKfQE8g9klVOY1iLYq/l1hAx2NvmAmSqWAreCkMY0HV+BHL424gTs4yfz/cA/Sd+iB+mB3qEjkIpzrnCOrOvsQCaoK3ixalIiiVwBPrBcJfa0D+PygNrtdyW5jYnHg0DbgJl+Y14RTYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.998553344e+09
-
unknown2
AAAABAAAAAEAAAAWAAAAAgAAAIAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/includes/phpmailer/class.pop3.php
-
user_agent
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Targets
-
-
Target
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
Size
192KB
-
MD5
eafe3d601bb4f8581b0af53d6f0c19dd
-
SHA1
d9d7a9f7dd9f46f6a258d94f210c690a3c68efa2
-
SHA256
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
SHA512
543eeebf7024f4ee27a966599439f62df965438bb70cccb6bcdda314d6091331fd21ab07e16a15667b9ca24310ffa9848466f5b2e8abf6e2b4ef88c5ff1e225e
Score10/10-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-