General

  • Target

    4ca3e59975efade9742cd840d23cdb493d89a63d4ce891d7cc415cf293a79198

  • Size

    407KB

  • Sample

    220704-kpfqqafgfk

  • MD5

    d056738d80ed5236e9af768fe2e42ad6

  • SHA1

    4af460ca2104d3faccfb2d4b165c37aa1981f4ca

  • SHA256

    4ca3e59975efade9742cd840d23cdb493d89a63d4ce891d7cc415cf293a79198

  • SHA512

    46a30b35d2c9f6a2b8b65eb26b2596537c8709295c93a493b8428fef7fada2e27b7f68078021cde9b30f7fe0e4221335a4463ebb4dbf1daf94fb4c1c4e07b028

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://114.115.141.15:4431/pixel.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    114.115.141.15,/pixel.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    4431

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTLfX+qitQykhzTnzJhFWMqaXM4QuHos2PacE6/BePejucSQ6l0mgBiGyt3nVX0MuvbDiqPqH6Gy1i3XD2EM835AgdVoBQQE0+xFyGIyT+o9+hQgwhlJiuSmh2sPHUZxCSfbqd0/TLHnusTjF0yM5FBTDPOB/wN4jn2+K1aASFLQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

  • watermark

    1

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      4ca3e59975efade9742cd840d23cdb493d89a63d4ce891d7cc415cf293a79198

    • Size

      407KB

    • MD5

      d056738d80ed5236e9af768fe2e42ad6

    • SHA1

      4af460ca2104d3faccfb2d4b165c37aa1981f4ca

    • SHA256

      4ca3e59975efade9742cd840d23cdb493d89a63d4ce891d7cc415cf293a79198

    • SHA512

      46a30b35d2c9f6a2b8b65eb26b2596537c8709295c93a493b8428fef7fada2e27b7f68078021cde9b30f7fe0e4221335a4463ebb4dbf1daf94fb4c1c4e07b028

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

    • suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

      suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

MITRE ATT&CK Matrix

Tasks