General
-
Target
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.zip
-
Size
170KB
-
Sample
230321-rw6ztaba68
-
MD5
f7c8e2738dc41d2363e63c7751eb9586
-
SHA1
b1f8684a9caf059db5bd1feecd690af7077b5634
-
SHA256
608365573d099c50b8c0e5b7092deae9a9bcc684bd44e271b69eb8f56ae2fbc8
-
SHA512
eb7d4345acdb21ea1ad0804de879ef8817501b9c9241246ebe2a66ccb947ba807c98ea76cd2072ae2c9cee8342e080f00a8a626d4c7df86734384908f3d7502b
-
SSDEEP
3072:+/g6hBk8q2GKGadAMxzy73ZGwBlt/yFJ3Vpv302lEXslERNiPEeGKtAyICLt2Iw2:+IQa8q2GKGRmc3ZGilgJXP0PXsqNuExs
Malware Config
Extracted
cobaltstrike
987654321
http://kihurij.com:443/Demo/Internet/FT2F740QMYJ
-
access_type
512
-
beacon_type
2048
-
host
kihurij.com,/Demo/Internet/FT2F740QMYJ
-
http_header1
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1pZQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAAsAAAACAAAAI1NFU1NJT05JRF82QlBTMjFJOUZLSFJXMlFZRlhMMkZGMDU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKiwgYXBwbGljYXRpb24vanNvbgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBydS1tZAAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAABQAAAAlfQ1BLUEtTVFkAAAAHAAAAAQAAAA8AAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12544
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\getmac.exe /V
-
sc_process64
%windir%\sysnative\getmac.exe /V
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFpKj6wjeTv+jkvV2oKPV4oxmMWb/goJlnmx050yZrWRDPbb7kmST84pjx2qmD4N240vuPpIy3JzjfximH+OiBDmz1q6T2WrjeDJT9gcSbsyE857XflDEK73pqcmWPQyTLE4d2TaoqjExNiH0fG4h1aChr1NBa4bBCRyb4TsurxQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.72947712e+08
-
unknown2
AAAABAAAAAEAAASeAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/Put/2003/WAIV922G69FS
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
-
watermark
987654321
Targets
-
-
Target
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
-
Size
363KB
-
MD5
80e2da1c20715a24e2cffda025879bb2
-
SHA1
886a5a3f2a375458e332b7f667a4cc2c36f6a989
-
SHA256
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9
-
SHA512
69b973d54cdfc842f32fa184211113c3ae93f5a5eb163c6d4997148998077d94add60d96243c1dd18a5e6bdbb858da50481e2ef866082d7ea5398dadbd4cb1a7
-
SSDEEP
6144:8Znnz2AHVD16Sn+KlfYY07hFo8jcNHKIS0MNd1re83NXsaly5q6LAV:8Rn6KPfvATzaKIS0TKNXT56LAV
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-