General
-
Target
gls.js
-
Size
4.1MB
-
Sample
211021-v87zesaeg5
-
MD5
2103be68824b34dfb74873364d23f74b
-
SHA1
ebcc88331a1cbc3b73098c2245a8a81840703b0e
-
SHA256
3015444a70483b5abccb2d4f11a2de348dd6bb00614300b0058c761c0993d818
-
SHA512
5e47ef58756a739df8edf694efb672eea94abcae2c14ff306c7328b0ce2679a8ec10290d76b1586b1dd60337062270262d5b088f233ba2e82497311ff7b5545a
Malware Config
Extracted
cobaltstrike
651348195
http://glsllc.365updates.workers.dev:443/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E
-
access_type
512
-
beacon_type
2048
-
host
glsllc.365updates.workers.dev,/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E
-
http_header1
AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAB1JFRj1JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAC1U9MTkzdTgxMTQxAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
3072
-
polling_time
11000
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCklx/5IbNxgw3DRlfvPGUMcyNsfswv9wTzv7fQz2kiQNoQNRNRd+g+cZ2TGh73dFDTBQB9QCejuHNGHgm9H90yJ2/FHM4VxE3IfUCpelyGnekC8A33Szkjqt9ltmaWqBfwLNlPa8/32FPuKrFNr4BDfbKSZN5x8Ejcnt6zsRNu+QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/fp/ebVBJhc6PlHSKNZI1Ojpt69M23VxN
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
-
watermark
651348195
Targets
-
-
Target
gls.js
-
Size
4.1MB
-
MD5
2103be68824b34dfb74873364d23f74b
-
SHA1
ebcc88331a1cbc3b73098c2245a8a81840703b0e
-
SHA256
3015444a70483b5abccb2d4f11a2de348dd6bb00614300b0058c761c0993d818
-
SHA512
5e47ef58756a739df8edf694efb672eea94abcae2c14ff306c7328b0ce2679a8ec10290d76b1586b1dd60337062270262d5b088f233ba2e82497311ff7b5545a
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-
Loads dropped DLL
-