General
-
Target
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
Size
494KB
-
Sample
230306-dsdbfahh9x
-
MD5
94b4eb33f72c5df6e7823407e12fa2b5
-
SHA1
e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
-
SHA256
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
SHA512
19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
-
SSDEEP
12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy
Malware Config
Extracted
cobaltstrike
0
http://85.175.101.203:80/access/
-
access_type
512
-
host
85.175.101.203,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACBIb3N0OiBhdWRpby1zdjUtdDEtMy5wYW5kb3JhLmNvbQAAAAoAAABIQ29va2llOiAgX191dG1hPTIxMDA3NzYyMi4xNzMyNDM5OTk1LjE0MzMyMDE0NjIuMTQwMzIwNDM3Mi4xMzg1MjAyNDkzLjI7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFUhvc3Q6IHd3dy5wYW5kb3JhLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
1000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v35
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Targets
-
-
Target
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
Size
494KB
-
MD5
94b4eb33f72c5df6e7823407e12fa2b5
-
SHA1
e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
-
SHA256
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
SHA512
19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
-
SSDEEP
12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-