General
-
Target
f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
-
Size
4.0MB
-
Sample
220113-lwhz4ahccl
-
MD5
7669f00b467e2990be182584b341c0e8
-
SHA1
2eaa91f38461d708ee6e94ec2f738f3cdfb229b7
-
SHA256
f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
-
SHA512
46f70fe999b4461dd6b3cec4bc10ba6389f7f9c3aa685acf0830bd3c8c66d6474b77f2487496455e52b36905c39fc648b28bb72dd9e782a7d77d5b9cd33da560
Static task
static1
Behavioral task
behavioral1
Sample
f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f.exe
Resource
win7-en-20211208
Malware Config
Extracted
cobaltstrike
666
http://cofeeloveers.com:443/image/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7373064e+07
-
dns_sleep
8.1297408e+08
-
host
cofeeloveers.com,/image/
-
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+r+/ykAr2nRnQhGrS75YAUEbQAmNGkJlaJe92kB/VjTIauKLqrs3M0F5alC13I5xp4joeb0Xvewl/f2Hh9+IL5XHSODfjnbnsVyeX2pe2Z2tBJ9eq/NRNNsdPXkmPKhnkL95Uslczv8YVeu/uapbGAmuLctlo+M78SHN9SGHeAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.2384e+09
-
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/temp/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
-
watermark
666
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
-
Size
4.0MB
-
MD5
7669f00b467e2990be182584b341c0e8
-
SHA1
2eaa91f38461d708ee6e94ec2f738f3cdfb229b7
-
SHA256
f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
-
SHA512
46f70fe999b4461dd6b3cec4bc10ba6389f7f9c3aa685acf0830bd3c8c66d6474b77f2487496455e52b36905c39fc648b28bb72dd9e782a7d77d5b9cd33da560
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-