General
-
Target
80e2da1c20715a24e2cffda025879bb2.bin
-
Size
170KB
-
Sample
230311-b1spzsga94
-
MD5
05e614344ba70d3c4bd8eda149cbb54f
-
SHA1
62505cc4c3fe9760dcffca20e56ec619afeb22a6
-
SHA256
271cd32df76f171aeb57df8c1df932b85374bf1919a0d2263b183d88ee526b60
-
SHA512
90d28af6340628b4e84875d47e1804ada8aeaee1543289d8b28137eeb5bfa52891733b90532b59c259c1ecb051b2cc27da84b1470c74be6f97b0848b966b37c4
-
SSDEEP
3072:sDJp/r63KJxPMQQY9ejkjSqs0VdJSyuyK/YhdLDBBLappUOE9VlHU7u6Luf/166:mJpDx0QQsewWqs0VHK/YhdZ0p6P0u
Malware Config
Extracted
cobaltstrike
987654321
http://kihurij.com:443/Demo/Internet/FT2F740QMYJ
-
access_type
512
-
beacon_type
2048
-
host
kihurij.com,/Demo/Internet/FT2F740QMYJ
-
http_header1
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1pZQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAAsAAAACAAAAI1NFU1NJT05JRF82QlBTMjFJOUZLSFJXMlFZRlhMMkZGMDU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKiwgYXBwbGljYXRpb24vanNvbgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBydS1tZAAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAABQAAAAlfQ1BLUEtTVFkAAAAHAAAAAQAAAA8AAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12544
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\getmac.exe /V
-
sc_process64
%windir%\sysnative\getmac.exe /V
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFpKj6wjeTv+jkvV2oKPV4oxmMWb/goJlnmx050yZrWRDPbb7kmST84pjx2qmD4N240vuPpIy3JzjfximH+OiBDmz1q6T2WrjeDJT9gcSbsyE857XflDEK73pqcmWPQyTLE4d2TaoqjExNiH0fG4h1aChr1NBa4bBCRyb4TsurxQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.72947712e+08
-
unknown2
AAAABAAAAAEAAASeAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/Put/2003/WAIV922G69FS
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
-
watermark
987654321
Targets
-
-
Target
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
-
Size
363KB
-
MD5
80e2da1c20715a24e2cffda025879bb2
-
SHA1
886a5a3f2a375458e332b7f667a4cc2c36f6a989
-
SHA256
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9
-
SHA512
69b973d54cdfc842f32fa184211113c3ae93f5a5eb163c6d4997148998077d94add60d96243c1dd18a5e6bdbb858da50481e2ef866082d7ea5398dadbd4cb1a7
-
SSDEEP
6144:8Znnz2AHVD16Sn+KlfYY07hFo8jcNHKIS0MNd1re83NXsaly5q6LAV:8Rn6KPfvATzaKIS0TKNXT56LAV
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-