General
-
Target
8368f07bc8825b7be0ed381c620b16c1095628b8588ac8dfe417bd2e82405023
-
Size
683KB
-
Sample
230211-j9rs2sba34
-
MD5
b09eaed87555b3540bbcf7020e1b6939
-
SHA1
c28716b86cc26122c2139427452ccf999fe83978
-
SHA256
8368f07bc8825b7be0ed381c620b16c1095628b8588ac8dfe417bd2e82405023
-
SHA512
0541c40e059ad2b1d78621568bc8e419c5582113e5968aacbb9428d36f0762b49ad3ea7fd9218c3711cf42872674520019d8ca0a94584c66619bf81d5811e33d
-
SSDEEP
12288:+cKH1VFzIyLxje60qyhzUGct8RrfnTcdnprdZNTLCDj0Z7W5yF46nuCfS89SOD7R:+cKH1VFzhLxje60qyhzLct8RrfnTcdnR
Malware Config
Extracted
cobaltstrike
54188
http://1.13.154.164:9443/access/sso/
-
access_type
512
-
beacon_type
2048
-
host
1.13.154.164,/access/sso/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAAB5Ib3N0OiB3d3cubWljcm9zb2Z0bGVzaG9wLnNob3AAAAAKAAAASENvb2tpZTogIF9fdXRtYT0yMTAwNzc2MjIuMTczMjQzOTk5NS4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5My4yOwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAHkhvc3Q6IHd3dy5taWNyb3NvZnRsZXNob3Auc2hvcAAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8704
-
polling_time
2000
-
port_number
9443
-
sc_process32
%windir%\syswow64\wbem\WmiPrvSE.exe
-
sc_process64
%windir%\sysnative\wbem\WmiPrvSE.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNMISE73frtnwPgCW75iTevQ1wj7DisEa4TggD5N9tYlrNT7r3VyU7E0CfQhY6Ob67CCgXC74mgYyOMnn+CjEM8Lb1ZCZnj1T6cohGDzQxY0IszwVpi5YoPZfMHmC3vJC1xtGFpbT16VPDNVqnWYv6gQsAt5hFaxMmYS1YNoOt2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.4764032e+09
-
unknown2
AAAABAAAAAgAAAACAAAAEAAAAAIAAAAQAAAAAgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v35
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.33
-
watermark
54188
Targets
-
-
Target
8368f07bc8825b7be0ed381c620b16c1095628b8588ac8dfe417bd2e82405023
-
Size
683KB
-
MD5
b09eaed87555b3540bbcf7020e1b6939
-
SHA1
c28716b86cc26122c2139427452ccf999fe83978
-
SHA256
8368f07bc8825b7be0ed381c620b16c1095628b8588ac8dfe417bd2e82405023
-
SHA512
0541c40e059ad2b1d78621568bc8e419c5582113e5968aacbb9428d36f0762b49ad3ea7fd9218c3711cf42872674520019d8ca0a94584c66619bf81d5811e33d
-
SSDEEP
12288:+cKH1VFzIyLxje60qyhzUGct8RrfnTcdnprdZNTLCDj0Z7W5yF46nuCfS89SOD7R:+cKH1VFzhLxje60qyhzLct8RrfnTcdnR
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-