General

  • Target

    bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

  • Size

    681KB

  • Sample

    220704-kfc88shhc2

  • MD5

    0340cd41dc46e57d7a496c55e735f8b3

  • SHA1

    78ef3380bb7307d5b2020a35c5a845160b9405e3

  • SHA256

    bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

  • SHA512

    7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.111.170.180:8888/load

Attributes
  • access_type

    512

  • host

    47.111.170.180,/load

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8888

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCepxWkRvKff9aSr8NJNjICKAfOAkCwiFfvggEjm6rsOd85r6J2MO/aflKXRMu6HUJ7YdYYiTR4AqWEq0crzforQfGXDqJ355NO17M/jGAEtdClSmPsH/w3g3OgnEq4mk086l68Kw0uE3i/neDyRh+nRllGEVlzNToWUJqwR2asBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

  • watermark

    305419896

Targets

    • Target

      bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

    • Size

      681KB

    • MD5

      0340cd41dc46e57d7a496c55e735f8b3

    • SHA1

      78ef3380bb7307d5b2020a35c5a845160b9405e3

    • SHA256

      bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

    • SHA512

      7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks