General
-
Target
83c830efbeb6dd41df39ecf0d74bd926419794a6453ab460d08c5b0b5d7865fc.zip
-
Size
347KB
-
Sample
230207-per38abe95
-
MD5
9c15cf992e259fdf7c09c0ffccd71a18
-
SHA1
34320e94506b41e4f84dd939286c35e2fbf133de
-
SHA256
83c830efbeb6dd41df39ecf0d74bd926419794a6453ab460d08c5b0b5d7865fc
-
SHA512
e8e0be29d19007bcd0cb1657eb91ae9bc3ef0185176ddcaca5fe2e86976f687a7141a0a5068b286d9ac06c8180f60a619cf9abedab6b1443925b8418ace56633
-
SSDEEP
6144:OYGF3rmB6x1yU2al34tq3zTBB0bV64x+pxS4JUMSEbWAD5Dl:OYB6xUpaitqjt++DJJEA1h
Malware Config
Extracted
cobaltstrike
100000
http://103.229.124.219:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
103.229.124.219,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\Werfault.exe
-
sc_process64
%windir%\sysnative\Werfault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCju39uea7UP3NS+1fynoWQWZdiRYj8IBWzEXgrWt2Es/KPzNwmqRc1abTxN5F2uKX57pK/zB/VOb2voDec3uNMXKX/guHmC/MsbM0yzLFwc7vL3qML78QVRqadpATTw8UgVE7SZN3bz9dIB8T1wsKqm4A0X8eMrILCJmOBHT5kAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
˰ָֿϣ밴ָֿۣ/ֿ걨ָϣ밴ָ˰ֿۣ.docx.lnk
-
Size
1KB
-
MD5
08ae386b3db37884c581fd43899d5ddc
-
SHA1
afce4c056d86137600d46ef1a776911740d67e80
-
SHA256
350fa869635ac7ff181650aff76f0f50248a6c38b90f5bc80ac34c1dca8d4b4e
-
SHA512
32461d4e29b18df7abb3cb9e1348e872d104df1fb26fe5a3a3d851b225cf87965ab26c64342d902e71e841a0eccab0e74e4db012949cbbe67bcb8c74af6c288d
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-