General
-
Target
Documento.pdf.zip
-
Size
392KB
-
Sample
230210-sf6jsaeg5s
-
MD5
d42efa0bed81053393076dd1aac90484
-
SHA1
fe5ac49b1a0115331b60174a5e5feaf485988d46
-
SHA256
a7a56f7fcbd4520b634a03740b8c62f19c19f11340902659475b1049e2013cd7
-
SHA512
abd4a954321b9f176a79c9df3a088d16ef835ee279606853df78c95d195e8f17a32489275fd15ed7be30ed713b122e0e1561956d3e9c1eabab9240b95284f725
-
SSDEEP
12288:cQSqjkKisYTnZqnUr/XV91dz/tLrJGnpuuOInbUnVuwkx:mTsYTngwfVzt5knpuuOSwkx
Malware Config
Extracted
cobaltstrike
391144938
http://192.168.56.3:80/cr.css
-
access_type
512
-
host
192.168.56.3,/cr.css
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAPQWNjZXB0OiBpbWFnZS8qAAAACgAAACVBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCO3E9MC45LCAqO3E9MC43AAAABwAAAAAAAAAPAAAAAwAAAAIAAAArd29yZHByZXNzX2VkMWY2MTdiYmQ2YzAwNGNjMDllMDQ2ZjNjMWI3MTQ4PQAAAAYAAAAGQ29va2llAAAACQAAAApkb2l0PWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAAIAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
63898
-
port_number
80
-
sc_process32
%windir%\syswow64\WUAUCLT.exe
-
sc_process64
%windir%\sysnative\WUAUCLT.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAP2p67B2EuiUUNi4YopVGqDxIAVr4kwkDbycHatN9jwkxSkTJT6iyeXzcJ7Sc+hNbrZLdRa6zzMJG0BELkNQ+l3WrPnS2ca8Bvc0OjwqomRe/Fzb+e8+Qnpq4ATCLY5idTtx/uPMX0AnpjFzp/Pqer/fND80DVh+xkh/c+43/XwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.010993152e+09
-
unknown2
AAAABAAAAAIAAAbnAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/av
-
user_agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
-
watermark
391144938
Targets
-
-
Target
Documento.pdf.lnk
-
Size
592KB
-
MD5
2a26b3354a0daeb38079a62471ab5ba8
-
SHA1
711a6790e2e50a949297d10c47e9fc3e8d2632fb
-
SHA256
7cc53f1b2b4eac4e9acd5722cc179ba4094f3101ec7b9e3874755ea501fa4aa3
-
SHA512
e5620f60dea102742f0fb0252a87647bc3ee4eaf304866f3d028f5b0868e3a2179a1a9f46b46faefd077de09348b25c962b8a41eecfb8768a56c9fb4c2aa21cb
-
SSDEEP
12288:3HQSYtswIsMXhZEpUrvXVX1dPb7dnJGnpu8QjUDZUndu8kd:37RsMXhuePVFVJknpu8Qj68kd
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-