General
-
Target
54a745673b6f8d0aa2e3f5b9287711c30ced0b417d7d8fc2ac451cd4765d2de7
-
Size
4.3MB
-
Sample
230421-dpl46sdg87
-
MD5
cc5d6d972293623b095cdcb4860de21c
-
SHA1
ab9822f8fd1c3aca566bce04fdf8134e6f419dd1
-
SHA256
54a745673b6f8d0aa2e3f5b9287711c30ced0b417d7d8fc2ac451cd4765d2de7
-
SHA512
25a6f4526209cf2f297add4d9b7dadafc87ec3d55177f097a8b11388573d696f7d331bf7940da12c324d7731e54ee92a60943492e63af7ae95bac655d84656e0
-
SSDEEP
49152:FwHhpNxrb/TxvO90d7HjmAFd4A64nsfJi/p0uGR0J8L4z/wBQaHd3bLu00KnEOHO:aosufMw2
Malware Config
Extracted
cobaltstrike
http://p.qaxno1.ml:2053/9hQee
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Extracted
cobaltstrike
54188
http://p.qaxno1.ml:2053/ask/submit.php
-
access_type
512
-
beacon_type
2048
-
host
p.qaxno1.ml,/ask/submit.php
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAABwAAAAAAAAADAAAAAgAAACJKU0VTU0lPTj1ranNhaGZranNuZGZqa2hzbmZramFzaGRmAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAANzaWQAAAAHAAAAAQAAAAMAAAACAAAAIkpTRVNTSU9OPWtqc2FoZmtqc25kZmpraHNuZmtqYXNoZGYAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
2053
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2ndWPrEjLYxSwm0mmGy/eV9QtrdAB55YOGvIrQMR+qs0aTLpcVm3KWMuLEfqXQKQYq8X6/vlID6ZP+W818iqrDjacTm4/vUywByNKrNydnkXxrpP05kjHfe56lUgZa6g/CfarxfI7tvti4cQYR4zi8c8+O5ZKjYDpJUxojffJnwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.jsp
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
-
watermark
54188
Targets
-
-
Target
54a745673b6f8d0aa2e3f5b9287711c30ced0b417d7d8fc2ac451cd4765d2de7
-
Size
4.3MB
-
MD5
cc5d6d972293623b095cdcb4860de21c
-
SHA1
ab9822f8fd1c3aca566bce04fdf8134e6f419dd1
-
SHA256
54a745673b6f8d0aa2e3f5b9287711c30ced0b417d7d8fc2ac451cd4765d2de7
-
SHA512
25a6f4526209cf2f297add4d9b7dadafc87ec3d55177f097a8b11388573d696f7d331bf7940da12c324d7731e54ee92a60943492e63af7ae95bac655d84656e0
-
SSDEEP
49152:FwHhpNxrb/TxvO90d7HjmAFd4A64nsfJi/p0uGR0J8L4z/wBQaHd3bLu00KnEOHO:aosufMw2
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-