General
-
Target
2023-03-24-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip
-
Size
2.1MB
-
Sample
230328-pa7ccace5y
-
MD5
987cf1182485dbb8f4e7c6a19e56db64
-
SHA1
9cb381c54ab5b4ba02a00e8bea9d63cf21a216d9
-
SHA256
b1e8a8308e3e782b8d546ee5b6de23a7df4b2134d0b5e4d0556635fbe3b01104
-
SHA512
26fd874ebec3b1a9d4e97cb568ac187dc7c7507790af7d13c40d1a6259a1e7166ff706dcc5b2a5562ff1adc0f95029d69cf8c67a54d3adff68628fc14ab903a3
-
SSDEEP
49152:K4mEgtXl73XOELkj6aV30M+InjwpXn74Q4CRhJCjVn8p:Zm/l7r9al0gnjwV7gCTWVnq
Behavioral task
behavioral1
Sample
2023-03-24-PowerShell-script-for-Cobalt-Strike.ps1
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Docs_Unpaid_#233.exe
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
Docs_Unpaid_#233.zip
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
Ogwebd4.dll
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
license.dat
Resource
win10-20230220-en
Malware Config
Extracted
cobaltstrike
674054486
http://voiceinfosys.net:80/es
-
access_type
512
-
host
voiceinfosys.net,/es
-
http_header1
AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAABwAAAAAAAAALAAAAAwAAAAIAAAAUd29yZHByZXNzX2xvZ2dlZF9pbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
11008
-
polling_time
58716
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaznbxNcZ0dXD4A3zagH1WOETphSlB8n6ESc9JXFKJjJnRMNtkv3xmhMwY6UC1e51klf5h1MjpT3aRKsd+6wWYNcS+RpVjqVf50rpkGmDnEAXl7WiRM7dtdSNqIGPfEoM8fQRYu5BGqQS65JvmOxEZ078DO4X/qez/F+XGq/kkwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/af
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
674054486
Extracted
icedid
1883783121
liguspotforsit.com
Targets
-
-
Target
2023-03-24-PowerShell-script-for-Cobalt-Strike.txt
-
Size
226KB
-
MD5
57736120aa9346d8c52a7331f7c9f625
-
SHA1
e3e3bd59139948d00401184aed5ddf393cb7cd12
-
SHA256
67f83398e4b96573dd999384827d0441f8b3face1e8395f5533c1d95e9c3cacd
-
SHA512
0d566fd6322847d7b081b6a2ca0cc484d9afe7b757ce4251e8e4c5fa740e514743cc94a32fa3cc62e79dabde1bfa98e58c7e5f2b3d03fe83e7682647ec37fddc
-
SSDEEP
6144:+q/iX4GAn/aN/R01/u9apA4L25kaG8TCGcyvp0QgY1PCG:9/iX2/GI/u9an25kd8TCGrvp+YYG
Score10/10-
Blocklisted process makes network request
-
-
-
Target
Docs_Unpaid_#233.exe
-
Size
619KB
-
MD5
4769f980cca32793eeb67997a644491e
-
SHA1
c55169eb2f48953863f50d97b893fdbe80df0313
-
SHA256
1b49da1d8b3ba5135030fd494033b30aa58393eeedf53ea0dd2ecf2715a8e6c8
-
SHA512
363b9aa38a0e2e21e4b54642acf15c0cddb84087500576e1fdead03cc8b6db2dd9f673e3f1b70de5bf6736c17cdabb8edf842dadccdaf1329af7df27be7ec679
-
SSDEEP
12288:h3DkjpFTq1yZrs7H0x7llP40bG70ckzuX110h:h36TndsT0tjQ0bG70ckzuX110h
Score10/10 -
-
-
Target
Docs_Unpaid_#233.zip
-
Size
332KB
-
MD5
a6845d6928a3ede53e013140c9dae5f9
-
SHA1
52073b12e70240dbf51cf1350799815aa3ecf1ae
-
SHA256
ef768753d6d4d26ba921a09be5b300b9f7bba070ef6847379490b4c1ec85ceb8
-
SHA512
66873ccd97df8e1888e8e3b78c9e4e90ddddda1a9e3d76d7bd6aae79e3eaaed49edd5dfcfb748692fe62b01bb4e86e39cc749521062d167bed8b547134df0d5b
-
SSDEEP
6144:qrWnxdFPIWZAkVczmJeMpmBJd5KZRyA1T6HM4wr7NAn63f/k:qynxzlGyw8eMWaZgary63Hk
Score1/10 -
-
-
Target
Ogwebd4.dll
-
Size
349KB
-
MD5
a29b31a17f3c5c22ef69beb3d4f3e082
-
SHA1
2d4bf92dd9886bd02ada7038065a67da8ce5dec1
-
SHA256
ead75f569dfb8e27c8f9f246172aab9d5481301a1d6e663287dc8b49fae68fd8
-
SHA512
657269c3def0073f1c0732fdfa494361b04b769c7bb7ca8f6d348ab25044585d5b75808b9c9a7f9ca5d9fc30dc16c292b262c395271ca4936b0a4cbac965b96b
-
SSDEEP
6144:xCjcxL6bkMII9f3JPNxsxqyLvHYdmGpfS3QmZSs:xCjcxOhfZNX+iR6DZS
Score3/10 -
-
-
Target
license.dat
-
Size
346KB
-
MD5
bff696bb76ea1db900c694a9b57a954b
-
SHA1
ca10c09416a16416e510406a323bb97b0b0703ef
-
SHA256
332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
-
SHA512
8d2ec1aef3a037655a20368cc0554340f5a921124121ecdc58d7f85a04f27c8356228a9f175214874ed9ada6465b9dbbdfd0f712df110df012472452db3bc030
-
SSDEEP
6144:rlH1wh3kbzrALzYiR1TluF5vXxRER9VxDxb5I6ATsL84sL4QVhbIcb4s2Av74Y2j:rlH1w0z8zHnTlSB89/t9rATsL8mQPvbq
Score3/10 -