General
-
Target
17ad8729021972956c6d6c85aae95c814d1792ffdc6aba57d8f560ad3c445beb
-
Size
387KB
-
Sample
220802-etxl5sadf3
-
MD5
ae997fac588605293f48a9445642820a
-
SHA1
085dbdb87326a7a743033e172dbd49d27b7e85a0
-
SHA256
17ad8729021972956c6d6c85aae95c814d1792ffdc6aba57d8f560ad3c445beb
-
SHA512
62229fbb8d752975ef592fa9c273a37897c1d187c51435b482bb9e83087baaef4e401454affe4f4d4ec1bc982826a6f712c08d49f34acba009790a4e44156fb2
Malware Config
Extracted
cobaltstrike
666666
http://service-lynlacy1-1313050835.bj.apigw.tencentcs.com:443/chatDev_9.1.2.js
-
access_type
512
-
beacon_type
2048
-
host
service-lynlacy1-1313050835.bj.apigw.tencentcs.com,/chatDev_9.1.2.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAtDbGllbnRfdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIcHJvZF91aWQAAAAHAAAAAQAAAA8AAAANAAAAAgAAAA97ImVuY29kZURhdGEiOiIAAAABAAAADyIsInR5cGUiOiIyOTcifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
50000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC21762mJ4uIPTYahhh7Gty+dKvf5gBREs4rPfSL8u5D2Rbu2m+0SphabY7gbGNXFTTyqv1Ti5ko0GPHozMHIkPLNeqUTl5pPgE5PV01w8xVRkpQUF+AxQY9xJPmhxp/p+ymAJl2BywyrBHy+hU+Ysts2ZW/j20vUNfKUGKbGj5AwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.3794944e+07
-
unknown2
AAAABAAAAAEAAAX0AAAAAgAAAFQAAAACAAAPXgAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/chat/encdata.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0; infoPath.112;) like Gecko
-
watermark
666666
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
17ad8729021972956c6d6c85aae95c814d1792ffdc6aba57d8f560ad3c445beb
-
Size
387KB
-
MD5
ae997fac588605293f48a9445642820a
-
SHA1
085dbdb87326a7a743033e172dbd49d27b7e85a0
-
SHA256
17ad8729021972956c6d6c85aae95c814d1792ffdc6aba57d8f560ad3c445beb
-
SHA512
62229fbb8d752975ef592fa9c273a37897c1d187c51435b482bb9e83087baaef4e401454affe4f4d4ec1bc982826a6f712c08d49f34acba009790a4e44156fb2
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-