General

  • Target

    6245829281742848.zip

  • Size

    453KB

  • Sample

    220208-r51t6ahdb3

  • MD5

    61cc4e3184588e79a3a6d93202e492f8

  • SHA1

    f84f03679447a51c941527f047c324bc341e67d2

  • SHA256

    46f18091cf10d22dfb79b372c9c0d44f3547ec2fb9f0f7c772ef08b33ed53a83

  • SHA512

    0066d2f81b0325eb40492f8b91f78af1ef8fc1655c98bd523ff96d1ae6079ab5adf90432d3091dfcf4a8592b76c83ecc6c89c2028178b5ad9b00a18813cb8c61

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://doggroomingnews.com:443/storage/main.woff2

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    doggroomingnews.com,/storage/main.woff2

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAFX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAABV9fdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    15000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCme/zaiZGT7pLjqDAy16p3eFtu90inaA2f41oeA4p/oHZuEumSy882EEc1UdIdb1t55cOwN7OQrfDBkRhcI9ZJuFVHFjb+O01lf9ppl+xBjW0Z7rjpo8RLJCmwNWyymCD1iQJuG0DSkU+RTjZPelztOIFqJS9twRnuhA7wGUGgkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    5.76066816e+08

  • unknown2

    AAAABAAAAAEAAABjAAAAAgAAAGQAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /storage/page.woff2

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4183.83 Safari/537.36

  • watermark

    1359593325

Targets

    • Target

      ScanClientUpdate/KM.EKeyAlmaz1C.dll

    • Size

      165KB

    • MD5

      021e42c964102fd263d474427ee78193

    • SHA1

      8a6227b6db02b8ba278e13ccd6eece907e3657f0

    • SHA256

      2fbe9b3eda5da1e2eded989941fdbb4e967245a53231d9c0c9333eb6486215c7

    • SHA512

      d517bcb9cfdd4082242ed6a2d12abef54db5fb31da19ce3d91665268a9006a9d9cda69bf28a8395b501df1cc8b22d0968b7af965e8a120c2db6c1f85c2e528e2

    Score
    4/10
    • Target

      ScanClientUpdate/KM.EKeyCrystal1.dll

    • Size

      78KB

    • MD5

      c21cccc561ca98da7ec8ef95b48ab8a7

    • SHA1

      0fc6747f2bd560326ca40e76babd086420b184a8

    • SHA256

      83b3bfd458fd458c6e95a1b580adb5c8b7e0e029468d348ea05879638a9aa243

    • SHA512

      35831e39e8e3c1e90d284ffd8afcb60c1c5e84014aef6d02e736257e2f68bdb9c92e1797fcaf167515b52d9be2f5e0dd2d7825a7de6af8d56340d3103536767c

    Score
    4/10
    • Target

      ScanClientUpdate/KM.FileSystem.dll

    • Size

      282KB

    • MD5

      66534e53d8751a24a767221fed01268d

    • SHA1

      fc781887fd0579044bbf783e6c408eb0eea43485

    • SHA256

      3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4

    • SHA512

      1f1b784b280bc34761ae93893ae7d95ebc6e5515542f153df7c91b00adfa796b3b2bee1a5857e0bb07d13c93b4df0eec3e1fd85911c79153b2d6c824a3a79369

    Score
    4/10
    • Target

      ScanClientUpdate/KM.IDCard.dll

    • Size

      224KB

    • MD5

      f7fa5d0c24b508e4be1bd11ad15a7971

    • SHA1

      d0efe19b25d1cf63ab131653e60c6fbae5271df5

    • SHA256

      44f79ddc089fbcd5325f7786389b22dd99cdaa0c5d0857248f78a3f9abd542d0

    • SHA512

      70cfbeb64728c14d38661264d5c422e36162a56805f7d20f5b288346e87394724b00b079f6145c2cc75bf2598a2796184092c7f0e6e92af30ec03e94f933414b

    Score
    4/10
    • Target

      ScanClientUpdate/ScanClientUpdate.lnk

    • Size

      1KB

    • MD5

      d98d2caa6e63ca70c245e1d6eda2100b

    • SHA1

      44b1884801c72dc8b218298aa1c537c69f2dfbfa

    • SHA256

      74202eed181e2b83dd0ab6f791a34a13bd94e63e86b82395f9443cb5aeddc891

    • SHA512

      2f63de892d0d757a2310ed5d1c59a8059b9a5fac9dc8c8f45c56b140d82e1009c9d25ff6a9ca9b27e571ee27e8a3329148f53a86cc73ef4a5384387526eb2cfa

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks