_ReflectiveLoader@4
Static task
static1
Behavioral task
behavioral1
Sample
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1.dll
Resource
win10v20201028
General
-
Target
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
Size
192KB
-
MD5
eafe3d601bb4f8581b0af53d6f0c19dd
-
SHA1
d9d7a9f7dd9f46f6a258d94f210c690a3c68efa2
-
SHA256
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1
-
SHA512
543eeebf7024f4ee27a966599439f62df965438bb70cccb6bcdda314d6091331fd21ab07e16a15667b9ca24310ffa9848466f5b2e8abf6e2b4ef88c5ff1e225e
Malware Config
Extracted
cobaltstrike
http://upgrade-services.com:9080/include/template/isx.php
-
access_type
0
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
upgrade-services.com,/include/template/isx.php
-
http_header1
AAAACgAAAB5SZWZlcmVyOiBodHRwOi8vd3d3Lmdvb2dsZS5jb20AAAAKAAAAa0FjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzLGVuO3E9MC41AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
- http_method1
- http_method2
- injection_process
-
jitter
0
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
3
-
port_number
9080
- proxy_password
- proxy_server
- proxy_username
- sc_process32
- sc_process64
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW9hcxy5UADTH4ZChcg4H0L2Iab+4+0BRKfQE8g9klVOY1iLYq/l1hAx2NvmAmSqWAreCkMY0HV+BHL424gTs4yfz/cA/Sd+iB+mB3qEjkIpzrnCOrOvsQCaoK3ixalIiiVwBPrBcJfa0D+PygNrtdyW5jYnHg0DbgJl+Y14RTYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.998553344e+09
-
unknown2
AAAABAAAAAEAAAAWAAAAAgAAAIAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
0
-
uri
/includes/phpmailer/class.pop3.php
-
user_agent
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
-
year
0
Signatures
-
Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule sample cobalt_reflective_dll -
Cobaltstrike family
Files
-
2019c7273403d1a629738f790efc05365aa6bfe56b39fc9766bac659cd4d34a1.dll windows x86
Exports
Exports