General
-
Target
c28fbd29f.exe
-
Size
5.6MB
-
Sample
230208-g6svtshd95
-
MD5
af226bd5a4f6f175ffe81288b3eb8eb2
-
SHA1
6ee8bba0f21d35d492f497caf8c5ab9d1067419a
-
SHA256
c28fbd29fc81b4c523b1408799a00555a2f6e67f4767643755fa9ac34cc4ea77
-
SHA512
6bd3fef658da2a94c9fded2f4054acf5f166734ff0e2b4115982a5ec5f189ae71a3845546f7a95da22e4bcbc91be976188927e7fea06d8541140995f51933980
-
SSDEEP
98304:Rah1HsKSzH9E/48v7HE7dB2Wq3zIzyNZEI+iZ7q1zPPXNAjtVa/u:EkG3vzIB2ei+I+7NAjtVa/u
Malware Config
Extracted
cobaltstrike
666666
http://css.bustring.com:443/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M
-
access_type
512
-
beacon_type
2048
-
host
css.bustring.com,/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M
-
http_header1
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZFVu69HEHoxtabkylaXLTONOa7sbbaTxinK8LCf7IOw6k9xtHahhn/phltzTgYu9ZYS1ugMrlB8Ik2/F8CTX+o5xgIQJU6is7Dj7ggXGamS89VZdp9f5U58EGa97acrc6Ga9zXeW/q1HBFfSnEuEt7SlJlVZOTgNldOiN5zpXTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/QVXHQf/QVXHQfyfH5BrChprcWoBIZaDp2-M
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3943.0 Safari/537.36 Edg/79.0.308.1
-
watermark
666666
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
c28fbd29f.exe
-
Size
5.6MB
-
MD5
af226bd5a4f6f175ffe81288b3eb8eb2
-
SHA1
6ee8bba0f21d35d492f497caf8c5ab9d1067419a
-
SHA256
c28fbd29fc81b4c523b1408799a00555a2f6e67f4767643755fa9ac34cc4ea77
-
SHA512
6bd3fef658da2a94c9fded2f4054acf5f166734ff0e2b4115982a5ec5f189ae71a3845546f7a95da22e4bcbc91be976188927e7fea06d8541140995f51933980
-
SSDEEP
98304:Rah1HsKSzH9E/48v7HE7dB2Wq3zIzyNZEI+iZ7q1zPPXNAjtVa/u:EkG3vzIB2ei+I+7NAjtVa/u
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE
-
Loads dropped DLL
-