Ihopot2.dll

General
Target

Ihopot2.dll

Size

404KB

Sample

211214-vw9mgsgbe3

Score
10 /10
MD5

c681c785d6055a1d5a8fe74403c9dfe9

SHA1

50713534b62404d6f502a3efa129460fd7fb6927

SHA256

f9c4a119234df78e1ad71b10fb0bf18622fd5245b72b93e5b71992f20cb9fd2e

SHA512

bdd5135e3092c3a69340ef4790756d3fe1be933a83d3ab65c3b80d2aa2a134249d70ae67027605035b9e16e792d8a4930af73124ac0d8280674dd3d44f9a8e62

Malware Config

Extracted

Family cobaltstrike
C2

http://bqtconsulting.com:443/image-directory/templates.mp3

Attributes
user_agent
Host: bqtconsulting.com Connection: close Accept: image/jpeg Accept-Language: en-GB;q=0.9, *;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

Extracted

Family cobaltstrike
Botnet 305419776
C2

http://bqtconsulting.com:443/da.html

Attributes
access_type
512
beacon_type
2048
host
bqtconsulting.com,/da.html
http_header1
AAAAEAAAABdIb3N0OiBicXRjb25zdWx0aW5nLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAAgAAAADAAAAAgAAAAVIU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABdIb3N0OiBicXRjb25zdWx0aW5nLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAACwAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
11008
polling_time
57750
port_number
443
sc_process32
%windir%\syswow64\svchost.exe
sc_process64
%windir%\sysnative\svchost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIb457MN0OxBGqjtu2Ps94Quqgo0FAOwvyWXZK225TmZ4JymCqXghrwYOcQgz1rXZeQkoOjEomrqjIEnpxYzaQfmCsBw7d95XXIlpznmf2Pma4kLzC6W8/zmW9NN6ojMS+dPMe3nzA5qrABXXCd2g/JGMYUb6fIp2oVLeQP83tVQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.8457344e+07
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/copyright
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
305419776
Targets
Target

Ihopot2.dll

MD5

c681c785d6055a1d5a8fe74403c9dfe9

Filesize

404KB

Score
10/10
SHA1

50713534b62404d6f502a3efa129460fd7fb6927

SHA256

f9c4a119234df78e1ad71b10fb0bf18622fd5245b72b93e5b71992f20cb9fd2e

SHA512

bdd5135e3092c3a69340ef4790756d3fe1be933a83d3ab65c3b80d2aa2a134249d70ae67027605035b9e16e792d8a4930af73124ac0d8280674dd3d44f9a8e62

Tags

Signatures

  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

    Tags

  • Blocklisted process makes network request

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1