General

  • Target

    1c96ff0aeb13f61afefa436ba17af2f783113d5e29b067e5f12259500c4e44a3

  • Size

    278KB

  • Sample

    220117-ps5apsadfp

  • MD5

    92e302b598be6c149209c33b1e6d33c2

  • SHA1

    8e5e79a529651017b9487318c1e12e6255279c36

  • SHA256

    1c96ff0aeb13f61afefa436ba17af2f783113d5e29b067e5f12259500c4e44a3

  • SHA512

    0730cbebd0dfcb9d70d3a7317dbde4c213a67a1d599122bcbb451fcff78e0ab6c2d9ab9bcf5cec78dfdf6fbec35570f3adad7ef6103e1fc8474c33618e132721

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://46.17.98.180:3254/push

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    46.17.98.180,/push

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    3254

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDXNMofGkCyNUn8qZuFWifMlXfTzaQKjEGDr257ki7OXdp7ETU1kQeaWpxVZ5Beh31U+4HTagxCwsGsl5RpT0HHBnETOx7wbON+jYNk0tVIepOu/TifjYs+VOwKYCqnVZStS/1BHq5z3rQiAkXGV7IvSZPQOqCG0e3pDJHSQirvQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)

  • watermark

    426352781

Targets

    • Target

      1c96ff0aeb13f61afefa436ba17af2f783113d5e29b067e5f12259500c4e44a3

    • Size

      278KB

    • MD5

      92e302b598be6c149209c33b1e6d33c2

    • SHA1

      8e5e79a529651017b9487318c1e12e6255279c36

    • SHA256

      1c96ff0aeb13f61afefa436ba17af2f783113d5e29b067e5f12259500c4e44a3

    • SHA512

      0730cbebd0dfcb9d70d3a7317dbde4c213a67a1d599122bcbb451fcff78e0ab6c2d9ab9bcf5cec78dfdf6fbec35570f3adad7ef6103e1fc8474c33618e132721

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

    • suricata: ET MALWARE Cobalt Strike Beacon Observed (MASB UA)

      suricata: ET MALWARE Cobalt Strike Beacon Observed (MASB UA)

MITRE ATT&CK Matrix

Tasks