General
-
Target
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1
-
Size
6KB
-
Sample
220125-l1vvfsdeem
-
MD5
c32ebbb82ca3f2587dc411aa2c17c8cd
-
SHA1
2b3a67f341f09bc736f0257b8e34a2f350a817bc
-
SHA256
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd
-
SHA512
84c99f25682cce38fdb14f2d2f126768d387758e766f3731d5146812afa7b8ac0f602ab1db75b7096964cbae8895ccd8f3cef7f802df803d2d273eedbaf459e3
Static task
static1
Behavioral task
behavioral1
Sample
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1
Resource
win10-en-20211208
Malware Config
Extracted
cobaltstrike
http://208.87.206.140:1443/TVZY
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)
Extracted
cobaltstrike
426352781
http://208.87.206.140:1443/IE9CompatViewList.xml
-
access_type
512
-
beacon_type
2048
-
host
208.87.206.140,/IE9CompatViewList.xml
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
1443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRBsKRFE/mNvtYDYKs30r+2hJYGhV87My0blRS9rU9SOcXg6EaLjgrVv208ZNEeFKuARdAV7SpsrlidYeqPDKbTwpzK1NRjkz6uDh50eAR1xqR/uCQZr6MVUNuLHCHMtnt84d4D7trq1zVEFHz2SphTjFZC/VjGQeqyoKc2uSyZwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)
-
watermark
426352781
Targets
-
-
Target
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd.ps1
-
Size
6KB
-
MD5
c32ebbb82ca3f2587dc411aa2c17c8cd
-
SHA1
2b3a67f341f09bc736f0257b8e34a2f350a817bc
-
SHA256
4e9580ffb8bab8f70e2a1a6dfd5e29b279ae3ed0eb828aa11cf58d12f0dc6cdd
-
SHA512
84c99f25682cce38fdb14f2d2f126768d387758e766f3731d5146812afa7b8ac0f602ab1db75b7096964cbae8895ccd8f3cef7f802df803d2d273eedbaf459e3
Score10/10-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
Blocklisted process makes network request
-