Overview
overview
10Static
static
8ApiClient.dll
windows7-x64
1ApiClient.dll
windows10-2004-x64
3msvcp140.dll
windows7-x64
1msvcp140.dll
windows10-2004-x64
3setup.exe
windows7-x64
1setup.exe
windows10-2004-x64
10vcruntime140.dll
windows7-x64
3vcruntime140.dll
windows10-2004-x64
3vcruntime140_1.dll
windows7-x64
3vcruntime140_1.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 18:37
Behavioral task
behavioral1
Sample
ApiClient.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ApiClient.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
msvcp140.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
msvcp140.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
vcruntime140.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
vcruntime140.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
vcruntime140_1.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
vcruntime140_1.dll
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
21.5MB
-
MD5
9d311899c431152ceaa676c81c656d9f
-
SHA1
6b64bf51869662caeca104254113678bb0ccf96f
-
SHA256
7285efae50a67581e0748960f1800fd97a58945d95344a39985f22fd3d6bfb0b
-
SHA512
91e4b86285b06c71afaa58acb6f2cea2d9222d30ee3c2993987b74b4205eb45147659930f54ac990438aca93a69576838b8c24d57b78bb89b9e555856d8adf13
-
SSDEEP
196608:MKQ/WwVjXM4y33/hXJVBtnRVRW4kngMHGG:MKQRjJ+rVBtRHG
Malware Config
Extracted
cobaltstrike
838968285
http://d2oca100euqhv5.cloudfront.net:443/client-portal/insight
-
access_type
512
-
beacon_type
2048
-
host
d2oca100euqhv5.cloudfront.net,/client-portal/insight
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogQ2xvc2UAAAAHAAAAAAAAAAMAAAACAAAAC0pTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogQ2xvc2UAAAAHAAAAAAAAAAgAAAANAAAABQAAAAJpZAAAAAcAAAABAAAADwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8448
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32x.exe
-
sc_process64
%windir%\sysnative\rundll32x.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCtI7P7EjdUTdb6ydcLvYfljr7MaP9stUdClJpVGaGdTFUh+8PKhNqh1bhQDaBQn3e+kWHKt+34pzVvPAdWaiBhVyPtIfIZrti0oraKW1PWo3E7pVECrpOIzlz9CR/JkvdYTHpGNp42C6b0wj0dh43WZtn6aRGGUgXC38oqsUImwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.711296e+07
-
unknown2
AAAABAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/client-portal/ping
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
-
watermark
838968285
-
year
256
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.