General
-
Target
02bf021081901bb47de6253653f4021528eb30727350cc0a680d507dca723f6d
-
Size
3.2MB
-
Sample
220923-nmsjaaaaep
-
MD5
b3f9d25d450914d3105c6f10a39078e6
-
SHA1
ae710720ed980a3f4535845b3d4d7e7000fb4303
-
SHA256
02bf021081901bb47de6253653f4021528eb30727350cc0a680d507dca723f6d
-
SHA512
d3271cb6ab9807971d6795e1fd1fbf84f378c6114fabcb33ae26edf75e26b2c9fac52dd3b0241bad7dfd0d03e6602fe806e76fc023af2afd21c4c825d86814f1
-
SSDEEP
98304:3lPko/gEWKBbe5N8Cud12tYclrqsh2otx:xpvxUudUrTh1tx
Malware Config
Extracted
cobaltstrike
305419896
http://192.168.238.128:80/pixel
-
access_type
512
-
host
192.168.238.128,/pixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
02bf021081901bb47de6253653f4021528eb30727350cc0a680d507dca723f6d
-
Size
3.2MB
-
MD5
b3f9d25d450914d3105c6f10a39078e6
-
SHA1
ae710720ed980a3f4535845b3d4d7e7000fb4303
-
SHA256
02bf021081901bb47de6253653f4021528eb30727350cc0a680d507dca723f6d
-
SHA512
d3271cb6ab9807971d6795e1fd1fbf84f378c6114fabcb33ae26edf75e26b2c9fac52dd3b0241bad7dfd0d03e6602fe806e76fc023af2afd21c4c825d86814f1
-
SSDEEP
98304:3lPko/gEWKBbe5N8Cud12tYclrqsh2otx:xpvxUudUrTh1tx
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-