General
-
Target
¹ØÓÚ¹«Ë¾·¢·ÅÔªÏü½Ú²¹ÌùµÄ֪ͨ.rar
-
Size
403KB
-
Sample
230206-q9nvqaeb84
-
MD5
deeae7b8d90765a958e579a2e9b38418
-
SHA1
af91b0dba1a7771aca4c1ea4b46ee0d1c176d10d
-
SHA256
66546f945b23298a9692e9d455273180ca3fed36cc069e38c7127c48861b5ef1
-
SHA512
0dc51d1ac424559ce4bb398955a9a28f7e56dd77f56772635bb5b249e835d5ec42f8ff5e81bde7be3e802529cf0651029b4cc7a0e0ee1ed6497faa14d703d2e9
-
SSDEEP
12288:9AdxNbqtFh2ZFQAYobpUXkyLaEda0dHiVv:9AdPgKQAYobsUEdaSHiVv
Malware Config
Extracted
cobaltstrike
426352781
http://101.43.190.181:8090/clemente/details
-
access_type
512
-
beacon_type
2048
-
host
101.43.190.181,/clemente/details
-
http_header1
AAAACgAAACZBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94bWw7Ki8qOwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAAEAAAABNIb3N0OiB3d3cuYmFpZHUuY29tAAAACgAAAFBDb29raWU6IEJJRFVQU0lEPXBzRDBkM2d4SXhCTGFSYTJ3c01oZkp2cmtGdFd5SUVxeXllQmdlX3F2ZWV0bXVMcUVtaEhnZkk5T2dZdHp3OwAAAAcAAAAAAAAADQAAAAgAAAANAAAABQAAAAJpZAAAAAkAAAADdT0wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94bWw7Ki8qOwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAAEAAAABNIb3N0OiB3d3cuYmFpZHUuY29tAAAACgAAAFBDb29raWU6IEJJRFVQU0lEPXBzRDBkM2d4SXhCTGFSYTJ3c01oZkp2cmtGdFd5SUVxeXllQmdlX3F2ZWV0bXVMcUVtaEhnZkk5T2dZdHp3OwAAAAcAAAABAAAADQAAAAYAAAANWC1DbGllbnQtRGF0YQAAAAcAAAAAAAAADQAAAAUAAAACaWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
polling_time
5000
-
port_number
8090
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzESqSDKV1cyVnt70NdVdeDYcFXdZy1+CIbBvbl7whKuDauX8H8mINREJZZYdIvzBPuG17JyWp14ofhEFb6LWu6r8PUpn8kmysMSgDsDxvty4s5qXdS5RSwrC6odUpNMsyTvMBSa2JyQ71VNJb4imtUItraCDpBh98trcWQ3Ip/wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/service/api/json
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
426352781
Targets
-
-
Target
关于公司发放元宵节补贴的通知/关于公司发放元宵节补贴的通知.lnk
-
Size
1KB
-
MD5
a58513ca5ebde24ffa7ad96e5a2065fb
-
SHA1
115bfc38e0abb589878d6c41ecf493e24a4ea0a5
-
SHA256
fc1f4697c93e2296b0b7bacebdb6ea49c53cfb321f45c4a718adb7316ef5adf8
-
SHA512
1b3dc68c055292ccb4fe375e16cccc8ff6b05a1713a9f213dffc66ed2e6bb9592a134a2ada2f5c876f8cb1759f629261eb750842bd1408341de72323b38bf5fd
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-