General
-
Target
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
Size
202KB
-
Sample
201115-mp9pvxv9cs
-
MD5
4365a73b7ddbdff6e25bfcbb3778918b
-
SHA1
5bb622f8e35dcad4bf939884b5e62a76f4cebfc1
-
SHA256
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
SHA512
0bac9b01bd02336b0d9e72dc75a2ec374cd41a4e40f3566a35002ab968cbc230afaeac8a32a43768288a8698ba3769bb3e457e22271bb0f86bdfc5fa2b8007d8
Static task
static1
Behavioral task
behavioral1
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win10v20201028
Malware Config
Extracted
cobaltstrike
http://ns.2018test.com:80/ca
http://ns1.2018test.com:80/ga.js
-
access_type
512
-
beacon_type
256
-
create_remote_thread
256
-
host
ns.2018test.com,/ca,ns1.2018test.com,/ga.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgNfIU8hRaf78nQi6sA2J+cdQ2zlAluBmtXKo90Lnri1l6cI2PzT4pncx1dyOe2SHQLEN8jx5j3b88Q64TirXQ7jgt+oLQcU8S5qt3tbflGp8mz6sI4WPwtp8ZgUctyPPYD1PPXRop/GCoJw1G6MOusZo+jCChd2PDYQ+KAN+c8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)
Targets
-
-
Target
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
Size
202KB
-
MD5
4365a73b7ddbdff6e25bfcbb3778918b
-
SHA1
5bb622f8e35dcad4bf939884b5e62a76f4cebfc1
-
SHA256
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
SHA512
0bac9b01bd02336b0d9e72dc75a2ec374cd41a4e40f3566a35002ab968cbc230afaeac8a32a43768288a8698ba3769bb3e457e22271bb0f86bdfc5fa2b8007d8
Score10/10-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-