General

  • Target

    LawyerCustomerComplaint.exe

  • Size

    671KB

  • Sample

    210211-gmrx9hjjsa

  • MD5

    60772f2f4ba787c019ff29dc9c747381

  • SHA1

    98d4e1c4ae2e19da51f4543cb2cff51a4a7f2b3e

  • SHA256

    7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f

  • SHA512

    93c38dd200d3bbac351e0e2debaa8f5468be12c07e4a3f0c518b8c91a1977e60791669b1c86fa67a748fd91e4a02029f6a83ee419a1875236646999a4b3beee4

Malware Config

Extracted

Family

cobaltstrike

C2

http://fast1arrival.com:443/sq

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    fast1arrival.com,/sq

  • http_header1

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAIAAAAAwAAAAIAAAAWd29vY29tbWVyY2VfY2FydF9oYXNoPQAAAAYAAAAGQ29va2llAAAACQAAAAlsaWQ9ZmFsc2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    56249

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe

  • sc_process64

    %windir%\sysnative\svchost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF+q5cK4mfZa5R15DDfWC2PdZQHPNer+r8EseYI073nub+m1v0OArtntbBxfFHkj+3BfMkhLjUKa0beD9PWt8DUs6q3TyZHsmZEHZ/WMoKNJCEufCl1v6PGw+SJavUx+W0G7Vs1eHAQGnoogs/4+2E5tfUnKntDe5QrTV5osCsVwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /ab

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

Targets

    • Target

      LawyerCustomerComplaint.exe

    • Size

      671KB

    • MD5

      60772f2f4ba787c019ff29dc9c747381

    • SHA1

      98d4e1c4ae2e19da51f4543cb2cff51a4a7f2b3e

    • SHA256

      7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f

    • SHA512

      93c38dd200d3bbac351e0e2debaa8f5468be12c07e4a3f0c518b8c91a1977e60791669b1c86fa67a748fd91e4a02029f6a83ee419a1875236646999a4b3beee4

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Dave packer

      Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

MITRE ATT&CK Matrix

Tasks