General
-
Target
2222.exe-
-
Size
3.3MB
-
Sample
220617-ddewqacfg6
-
MD5
5ac82ec1c5c3c179db55f6e283325f7f
-
SHA1
4b209d3f027d72ce9c4f5e58fea8e6985506df32
-
SHA256
f423211a5d832e9f59cb5a296057e58bc65b6a609e1ae9da4d9e96ad79294852
-
SHA512
5cfd3dd56b713bfb3fd9c171a63449727ee1c5333082dd70275dd656d9b02177f5bb9285733cede6c5804a3e6aec4cf119f03bf6608bf917bfe6269cea705c93
Malware Config
Extracted
metasploit
windows/download_exec
http://service-bv4lng5j-1307188804.sh.apigw.tencentcs.com:443/icons.ico
Extracted
cobaltstrike
123456789
http://service-bv4lng5j-1307188804.sh.apigw.tencentcs.com:443/search
-
access_type
512
-
beacon_type
2048
-
host
service-bv4lng5j-1307188804.sh.apigw.tencentcs.com,/search
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCL5paOYS4Ch1fPxUdk++MXZjFcM7wZwYlNISngRRx0nzl6odYr1pwKR6WAmtf/nWNps+lMhviFYU76dlCjUSHGk6vwoR6YuaS9D93tuFZyzco4ZX6jzlWrKLN9Gl/uC0/9tu6h1DtZ8xBeH0UBeP8+KgzTvXRgdYQq0l0/UaWD1QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/switch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
123456789
Targets
-
-
Target
2222.exe-
-
Size
3.3MB
-
MD5
5ac82ec1c5c3c179db55f6e283325f7f
-
SHA1
4b209d3f027d72ce9c4f5e58fea8e6985506df32
-
SHA256
f423211a5d832e9f59cb5a296057e58bc65b6a609e1ae9da4d9e96ad79294852
-
SHA512
5cfd3dd56b713bfb3fd9c171a63449727ee1c5333082dd70275dd656d9b02177f5bb9285733cede6c5804a3e6aec4cf119f03bf6608bf917bfe6269cea705c93
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-