General
-
Target
8c07ade05b23afd0e5af2685527a4a3562c13c6443c1c80db2f8cf83855518ce
-
Size
455KB
-
Sample
220627-m2l5dacdg5
-
MD5
49d8e14b4889e5c0cc106feb03a34eac
-
SHA1
f50e5d132b3d6fe9533501da65de213befd53f7e
-
SHA256
8c07ade05b23afd0e5af2685527a4a3562c13c6443c1c80db2f8cf83855518ce
-
SHA512
3fd94c8cc8172ce9f306737b864dbabae910491b9fa9522399749a86b5e00c9c6aeec69eb9b5b0b7d63a28709761a019b2acf09ea73bf6830e3f354784392f30
Static task
static1
Behavioral task
behavioral1
Sample
????.docx.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
????.docx.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
WzComAddrBook64.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
WzComAddrBook64.dll
Resource
win10v2004-20220414-en
Malware Config
Extracted
cobaltstrike
305419896
http://42.249.219.112:443/push
http://117.139.142.248:443/__utm.gif
http://58.221.30.69:443/dot.gif
http://42.249.219.112:443/dot.gif
http://117.139.142.248:443/g.pixel
http://58.221.30.69:443/j.ad
-
access_type
512
-
beacon_type
2048
-
host
42.249.219.112,/push,117.139.142.248,/__utm.gif,58.221.30.69,/dot.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm6dDNosecwYifTVCVelinAuAlJwa3XU3XMOkS290iPmPmofjMd/+EOcoCE8d7xvj4mNtcSWHspfOAMs/dTabxOJDIqvrJQHVNimp3j1kB36AU92BokpBAlZ+i5NrOaQE1XC3RV2dU2e1PewC+QwIOsCvU7ljzvySxMN1oHGi0DQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
????.docx.exe
-
Size
1.4MB
-
MD5
30f2444fe84adfbf39c60bb0c8e6d7d1
-
SHA1
3ec347b49517b1d165a3797db9816f78652e8988
-
SHA256
288084c0dc8bd71f5a09bda594f4f2f6f18271eca4fa459dcfc771a19dd46a25
-
SHA512
0b33a9cf6c820025bb61c7cf103e24a54c2a6326cd0f54cbc41d110e6be5e2a35b6348886964165b38f688c7f7d7a2a54cd410d784a46ec2619e32c28a210855
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
Suspicious use of SetThreadContext
-
-
-
Target
WzComAddrBook64.dll
-
Size
95KB
-
MD5
c8fa7eb79170457445f7c130d6684d3b
-
SHA1
1fdd87d319219d64ed4ceba7c9d8162021c422d3
-
SHA256
89a63d3e1693b0e567f54933193e862dfa49dbd989dfdb06a87f60a9e9a4945f
-
SHA512
3815799c30e2a933827308280a11b410c1fad94bdb1027804bba512d96a70be04bbf9a7df8e41e80c91f77a2313e924e1521bf8f0e02a1023898e1b33bef3b19
Score1/10 -