General
-
Target
Inis.txt
-
Size
220KB
-
Sample
220105-vg7jksahck
-
MD5
d170dc71a6a37a1f0fa2174879eb6d58
-
SHA1
acd2d9132cfeaa4925076caebcff9f7d1f3e5784
-
SHA256
6e6d3f1224e9c5cb5fc392b292c3def7c585346bde8c7f7b2173677a4a0068b0
-
SHA512
036392ed22dc7aefd5acd6615b1f9ad015ff46d27c89bf41f34fde66e0008dd5e114b7888cde40698899032e96dcbce24eb37004c7ebf5b8823fe2c33cf4e391
Malware Config
Extracted
cobaltstrike
0
http://customsecurityusa.com:787/fam_calendar
http://customsecurityusa.com:787/search
http://customsecurityusa.com:787/ab
-
access_type
512
-
beacon_type
2048
-
host
customsecurityusa.com,/fam_calendar
-
http_header1
AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAABwAAAAAAAAAIAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAJAAAACmZuYW1lPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAABWRvaXQ9AAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
61655
-
port_number
787
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu+k6TVmSi20ZwCbVLBWVeUCBfLJKbTLQFx5TNMpJpPeXmok8PUd/LgP99COChiYYeYyZiLxRl1MCKsit82cRb2VHplkwKQIBcNe7icJLWG6XI+nX6yvAbrfjM3CZ2+14J7KVbSlvSepdezHWfJKUQxD2kRVPRSldPLvyYl8OcqwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.8457344e+07
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/tab_shop
-
user_agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
-
watermark
0
Targets
-
-
Target
Inis.txt
-
Size
220KB
-
MD5
d170dc71a6a37a1f0fa2174879eb6d58
-
SHA1
acd2d9132cfeaa4925076caebcff9f7d1f3e5784
-
SHA256
6e6d3f1224e9c5cb5fc392b292c3def7c585346bde8c7f7b2173677a4a0068b0
-
SHA512
036392ed22dc7aefd5acd6615b1f9ad015ff46d27c89bf41f34fde66e0008dd5e114b7888cde40698899032e96dcbce24eb37004c7ebf5b8823fe2c33cf4e391
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
-
Blocklisted process makes network request
-
Drops file in System32 directory
-