General
-
Target
Curriculum_Vitae_Protected.doc
-
Size
259KB
-
Sample
201119-rv4fmbb6h2
-
MD5
61710a01068b7ce0edb6bad429d1a589
-
SHA1
cd5eaccdf2f547002ec573512e8495f6e28e18f6
-
SHA256
c83d93a91e02c69b40def0cbc882f6dc9e10bb95570425018380b245d2a42849
-
SHA512
f2d51026953e1c533d83f74e46179932377de58f3982b9e19a85cb47d2a9c3c2b6a18bba70f5c36a0a0fc06956caf52d9d8c7b3add4ad4a8129a0660b7179752
Malware Config
Extracted
metasploit
windows/download_exec
http://d25bm6hkar6nys.cloudfront.net:443/CuMX
Extracted
cobaltstrike
http://d25bm6hkar6nys.cloudfront.net:443/api/v2/status
-
access_type
512
-
beacon_type
2048
-
host
d25bm6hkar6nys.cloudfront.net,/api/v2/status
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAADQAAAAIAAAAFX3NpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEX3NpZAAAAAcAAAABAAAADwAAAA0AAAACAAAAAnE9AAAAAQAAAA4mc3VibWl0PVN1Ym1pdAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
17152
-
polling_time
50000
-
port_number
443
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCggYu+B86qYK20olfyHZR+N8aFqAmVPRWTJDMbnVW/0NujEMsQ6MYc3rJLEjPf3Y+BfiOOjZ2R2ZpGeSBjNO5DGzRTebo7jSV1gPxvT1cgu6hek4V8SJWNFLXaDAfwlfR1sAlPpv1On8fOOgPG4lC1GLS7ehQAHCRykVM7I+ZvkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/v2/search
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Targets
-
-
Target
Curriculum_Vitae_Protected.doc
-
Size
259KB
-
MD5
61710a01068b7ce0edb6bad429d1a589
-
SHA1
cd5eaccdf2f547002ec573512e8495f6e28e18f6
-
SHA256
c83d93a91e02c69b40def0cbc882f6dc9e10bb95570425018380b245d2a42849
-
SHA512
f2d51026953e1c533d83f74e46179932377de58f3982b9e19a85cb47d2a9c3c2b6a18bba70f5c36a0a0fc06956caf52d9d8c7b3add4ad4a8129a0660b7179752
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-