General
-
Target
ta580.zip
-
Size
288KB
-
Sample
230110-v3r11sgg49
-
MD5
d97402459cb90c8360edd529e6f7a32a
-
SHA1
f97add4a9124fa8db8efaf457d24a2ce69a1093e
-
SHA256
00a2ad580b475b5d302483074884a3b02e931fcea5dd54ae94976ae43e475b16
-
SHA512
7614fff7a6ea0950f51510a4894040d9f9b6794bd5d25104f054805f65aa68dbb159eba4beca0f56d68af072de3573b780001a129a57b1777d9abdf36d5523b8
-
SSDEEP
6144:EkTgUheBNoODTubgQKvLuCdDeJc1U2CRYIgCQPuBH0ogNbLQZ5x6QZx5xb:EkTgO2f2FKvyCdyQU0I6uV0pEm2R
Static task
static1
Behavioral task
behavioral1
Sample
document01.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document01.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ipchains.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
ipchains.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
price.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
price.bat
Resource
win10v2004-20221111-en
Malware Config
Extracted
cobaltstrike
1580103814
http://23.108.57.161:443/Forums.css
http://157.254.194.123:443/Forums.css
http://182.23.109.22:443/bn.css
http://157.72.142.1:443/Forums.css
-
access_type
512
-
beacon_type
2048
-
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
-
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.708806656e+09
-
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/dz
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
1580103814
Targets
-
-
Target
document01.lnk
-
Size
1KB
-
MD5
4230179e11830d5c25781306d113523b
-
SHA1
158c3323dc9d25981625bc1f4788ae4a9a6f5e60
-
SHA256
b3105f3b231b63e1e18f592d15acbba1fb1993e032360da28a14f41d60dad696
-
SHA512
342b01130dff4f62883602906245cf5ca4aa8e14ad397e07d7e383294d93dc826d43f32510648bcddd2295f0c082b5bf8f561b9b7bba302eecf23c9580e98c54
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
ipchains.dll
-
Size
572KB
-
MD5
8fdd7858bf72589cafba3e8f98a6730b
-
SHA1
ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
-
SHA256
39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
-
SHA512
0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
-
SSDEEP
6144:5RsC6WbKlOsSPfGGu3KFGSpdc0x/POh4OML3OLyK9kon8m5I5XWOFLBSmOJQgyxy:5qt7s3TvV4hBML3OLyoytj2mzdI
Score10/10-
Blocklisted process makes network request
-
-
-
Target
price.bat
-
Size
2KB
-
MD5
2a677a2e87d30723a7f85db0e68246a0
-
SHA1
8d6e8fd707166f6989d025b6e47eb32251ddf007
-
SHA256
b9f0301c363e3e874f0020090db489b4621a7df827aa5202971d789f9762e145
-
SHA512
fd976416ff65521c01c7c3cb5ccc4a7ce1fe786032868ed58314b5c412fc7dd5f7bd00aaae169adf0a0be0bd6caf6b40aaa91aba6c2945670d4d4e718f0dfe56
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-