Overview
overview
10Static
static
112493ec6b5...ba.exe
windows7-x64
1012493ec6b5...ba.exe
windows10-2004-x64
109e7d06f01a...47.exe
windows7-x64
109e7d06f01a...47.exe
windows10-2004-x64
10c5b25a24f7...om.exe
windows7-x64
1c5b25a24f7...om.exe
windows10-2004-x64
1ce8bface0c...aa.exe
windows7-x64
10ce8bface0c...aa.exe
windows10-2004-x64
10General
-
Target
Downloads.rar
-
Size
7.1MB
-
Sample
230324-n7p9nagc2s
-
MD5
3ed5a87ced227e07a259052206745bf5
-
SHA1
4d34e9540ca2e05001c44028ff0ad2078078ce8b
-
SHA256
139cdb6becf2a2fa239d1f35acfc2db3f913afa6591b87d44b5e9d9b531dfa86
-
SHA512
cdc083a17bc1469550eaab7c6c018ff9802c071c6d35dd0469fe1ad154580c502f47048054857ff2b1f6258827a565fd0b85ad9b5bb33780f8e60f10326efd92
-
SSDEEP
196608:xJFtl8A3OaGGyIxIl+UKu2aFeluNjVm5+QZN00GDRZD:PlFQ8S+Ru2aG8qlZPuRZ
Static task
static1
Behavioral task
behavioral1
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
metasploit
windows/download_exec
http://183.60.219.35:80/vue.min.js
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Host: 360update.360.cn
Extracted
cobaltstrike
100000000
http://183.60.219.35:80/api/getit
http://49.79.225.35:80/api/getit
http://111.7.110.35:80/api/getit
http://1.193.146.35:80/api/getit
http://118.112.225.35:80/api/getit
http://118.182.249.49:80/api/getit
http://42.81.98.35:80/api/getit
-
access_type
512
-
host
183.60.219.35,/api/getit,49.79.225.35,/api/getit,111.7.110.35,/api/getit,1.193.146.35,/api/getit,118.112.225.35,/api/getit,118.182.249.49,/api/getit,42.81.98.35,/api/getit
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
80
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCELS0IwIRLnAAUxymQ8eY7I/IiIHxMk74CKVpbCv/hDhOU/PqGcgnQ1KY2VOq73+kUXpSMjEBlznrj3fUyZzDeuM74QTcyDYkOSOoCryAw0/dSwP7YMDkRlvxgh0flbXIwBybACCqm1Y1PNRCMUQrd+csGRIueGSigF+FRv9uVowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/postit
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
100000000
Extracted
cobaltstrike
391144938
http://39.98.169.74:8080/mall_100_100.html
-
access_type
512
-
host
39.98.169.74,/mall_100_100.html
-
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABpSZWZlcmVyOiBodHRwczovLzEwMDg2LmNuLwAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAMFJlZmVyZXI6IGh0dHBzOi8vc2hvcC4xMDA4Ni5jbi9tYWxsXzEwMF8xMDAuaHRtbAAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFHNyY2hmcm9tPW5SS2p4elpSUnh4AAAACQAAABJmaWVsZG5hbWU9Q3pMdUV4S2wAAAAJAAAAFHNlYXJjaHNvcnRpZD1NYnpTRW5CAAAABwAAAAEAAAANAAAAAgAAACphaWRfPTUyMjAwNTcwNSZhY2N2ZXI9MSZzaG93dHlwZT1lbWJlZCZ1YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
8080
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBEy1s0LexKpvJxFPuF4SnuvLLt7qBQQJa6AL1GAgy+dT3Yb76ieLbE9vhHouh2kWI7/PlTGfwLlTpT3zIkwBSAP1Ux8LNsCb7NTwEStKREiLiO29vskZlW8HDpRb6zGejRSjnzWGFohkKnQEfdmLUhQ7wagU1GaVCgFUKH0M00QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.03243264e+08
-
unknown2
AAAABAAAAAEAAAglAAAAAgAACCUAAAACAAACyAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ajax/recharge/recharge.json
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
391144938
Extracted
cobaltstrike
http://192.168.20.15:801/9Ekt
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
Targets
-
-
Target
12493ec6b59188a080961436130f4cba.exe.vir
-
Size
250KB
-
MD5
12493ec6b59188a080961436130f4cba
-
SHA1
019c2e8f059291c9f9dc2958f8e1815b36e5e0ea
-
SHA256
9bfc115e306fd5de28d6392cb4303a9ee41890d6bb27da00d41e7b335eb0b72e
-
SHA512
0a270a9b7b3ee2004e6b3560e121047d93b3a8522b25591e2364abce65c4ef7afbdf8a9754220c04af63bafc2d4099ecb1e5f6293c27918b1944d06285316cfd
-
SSDEEP
3072:ac+uy5u8vGRlIqw+Xs8GBccgOrc57aOJqq5DYejipqi1fffffffffffffffffffh:ahXxv8le+rAF6st1fv
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
-
-
Target
9e7d06f01a6535531b6e098f6dd3eb47.exe.vir
-
Size
6.1MB
-
MD5
9e7d06f01a6535531b6e098f6dd3eb47
-
SHA1
b1389c46288f8674b591f2bbcf41920958e96962
-
SHA256
1792595b55a0ccf8aef23354eafb24844581c4f862a514e42f67127738b71f63
-
SHA512
ae1bd9c677d62f16dc0191d6693d414188885f43897a1b40475be3ff1d3483f27c1879f897c30743f2519638c81c11e72ebf363deb85c584b852cf5e851dd3bf
-
SSDEEP
49152:jpdCnUmxN53Q2rb/T4vO90d7HjmAFd4A64nsfJ60jn1m4tQGYaVDb1U37t+0nWl5:83QuXwsAXEY/+6QII
Score10/10 -
-
-
Target
c5b25a24f7112f1ee9300986004c45d9.com.vir
-
Size
10.5MB
-
MD5
c5b25a24f7112f1ee9300986004c45d9
-
SHA1
bf725cdd9a3d7d8d288b0b7b99fbc084323793c8
-
SHA256
e1dd38c882c54782356b09c4165b6f59ba5f7abd2627c89398635f1d85e841be
-
SHA512
c14fc2d8f927144eae4b1d7eebc3372f40044039bdaa4ae726f2aa3d8f6560ca17ff93be2f4a8f548cc2208147a708409e863b2e9e08d73bd70c3b9df73b2f70
-
SSDEEP
49152:f97M8Pmta38OzRrb/TmvO90d7HjmAFd4A64nsfJsdjx4PdKEvZFxR+vdRGGjjyh6:r3NiXVAGVjp6TEr7lQHJ/R9IfMvu
Score1/10 -
-
-
Target
ce8bface0c9e56ab96d4bc06b76083aa.exe.vir
-
Size
2.7MB
-
MD5
ce8bface0c9e56ab96d4bc06b76083aa
-
SHA1
67a648847de158f40ac710dfb90a17d2ff49b9a6
-
SHA256
635eec28f0b72fb0b6a1542766ec4773559579e37dd7949fa41f57e386c3adfd
-
SHA512
57a141fd8fff049dad91458d84755a909bb90ccd8c879ce1928897acada96cc06d5c6e63c6a936c8ac9314734acf4b6d28404f67beb0263c883215eb620dc1f9
-
SSDEEP
49152:hRkjGFXsl3Pza68rb/T3vO90d7HjmAFd4A64nsfJjAKhH4+stNms6zo0qYgNCUOG:Ol3PbstNms6zoSGppTOZ
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-