General
-
Target
beacon.exe
-
Size
14KB
-
Sample
220331-rjdgqshbfm
-
MD5
2d0e28316e3f60de63654609f3a1b297
-
SHA1
99e64215ea6f3027dc1928ac26443953c8f5294d
-
SHA256
8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8
-
SHA512
481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713
Static task
static1
Behavioral task
behavioral1
Sample
beacon.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
beacon.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
cobaltstrike
http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm
-
user_agent
Accept: */* Connection: Keep-Alive Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 Host: qb.awotj.com
Extracted
cobaltstrike
1
http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
-
access_type
512
-
host
qb.awotj.com,/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAXQ29udGVudC1UeXBlOiBpbWFnZS9wbmcAAAAJAAAADW9lPUlTTy04ODU5LTEAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MTEyNAAAAAkAAAAmZF9yZWZlcmVyPWh0dHAlM0ElMkYlMkZiYW5rLnBpbmdhbi5jb20AAAAHAAAAAQAAAAMAAAACAAAABIlQTkcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
5500
-
port_number
80
-
sc_process32
%windir%\syswow64\w32tm.exe
-
sc_process64
%windir%\sysnative\w32tm.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRpwp8UKDSrLYmg1T8qsKaBTiSXmGzJsxjfT1zSQAP4VsmBXHqnwIcuUrjaAfl0yFmxYlo2kUpHgGryMxFXKaFfanzRs+TOYzHMW1p5kwzLgwsHY7GPfVUG1mVTpq3WIFkQ6ltcRC79FXrjKSlcQbTMZXNg/aQ3C9F0HAZzpNnBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.515525376e+09
-
unknown2
AAAABAAAAAIAAAAEAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/pacom003/person/ithelp/bug/list
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177
-
watermark
1
Targets
-
-
Target
beacon.exe
-
Size
14KB
-
MD5
2d0e28316e3f60de63654609f3a1b297
-
SHA1
99e64215ea6f3027dc1928ac26443953c8f5294d
-
SHA256
8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8
-
SHA512
481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713
Score10/10-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
-
Blocklisted process makes network request
-
Suspicious use of SetThreadContext
-