Overview
overview
10Static
static
112493ec6b5...ba.exe
windows7-x64
1012493ec6b5...ba.exe
windows10-2004-x64
109e7d06f01a...47.exe
windows7-x64
109e7d06f01a...47.exe
windows10-2004-x64
10c5b25a24f7...om.exe
windows7-x64
1c5b25a24f7...om.exe
windows10-2004-x64
1ce8bface0c...aa.exe
windows7-x64
10ce8bface0c...aa.exe
windows10-2004-x64
10Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 12:02
Static task
static1
Behavioral task
behavioral1
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win10v2004-20230220-en
General
-
Target
12493ec6b59188a080961436130f4cba.exe
-
Size
250KB
-
MD5
12493ec6b59188a080961436130f4cba
-
SHA1
019c2e8f059291c9f9dc2958f8e1815b36e5e0ea
-
SHA256
9bfc115e306fd5de28d6392cb4303a9ee41890d6bb27da00d41e7b335eb0b72e
-
SHA512
0a270a9b7b3ee2004e6b3560e121047d93b3a8522b25591e2364abce65c4ef7afbdf8a9754220c04af63bafc2d4099ecb1e5f6293c27918b1944d06285316cfd
-
SSDEEP
3072:ac+uy5u8vGRlIqw+Xs8GBccgOrc57aOJqq5DYejipqi1fffffffffffffffffffh:ahXxv8le+rAF6st1fv
Malware Config
Extracted
metasploit
windows/download_exec
http://183.60.219.35:80/vue.min.js
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Host: 360update.360.cn
Extracted
cobaltstrike
100000000
http://183.60.219.35:80/api/getit
http://49.79.225.35:80/api/getit
http://111.7.110.35:80/api/getit
http://1.193.146.35:80/api/getit
http://118.112.225.35:80/api/getit
http://118.182.249.49:80/api/getit
http://42.81.98.35:80/api/getit
-
access_type
512
-
host
183.60.219.35,/api/getit,49.79.225.35,/api/getit,111.7.110.35,/api/getit,1.193.146.35,/api/getit,118.112.225.35,/api/getit,118.182.249.49,/api/getit,42.81.98.35,/api/getit
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
80
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCELS0IwIRLnAAUxymQ8eY7I/IiIHxMk74CKVpbCv/hDhOU/PqGcgnQ1KY2VOq73+kUXpSMjEBlznrj3fUyZzDeuM74QTcyDYkOSOoCryAw0/dSwP7YMDkRlvxgh0flbXIwBybACCqm1Y1PNRCMUQrd+csGRIueGSigF+FRv9uVowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/postit
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
100000000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-54-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/548-55-0x0000000003850000-0x0000000003CC2000-memory.dmpFilesize
4.4MB
-
memory/548-56-0x0000000003850000-0x0000000003CC2000-memory.dmpFilesize
4.4MB
-
memory/548-57-0x0000000003450000-0x00000000035A6000-memory.dmpFilesize
1.3MB