General
-
Target
cfe0c69074a02d001210dea37467860f345555f67b5b6dd3285a5b1b27fd3375
-
Size
7.5MB
-
Sample
230507-ht1kksbh98
-
MD5
a12474fa631be7cabad381db9787f6a6
-
SHA1
6ddb41a170c336e20db5f4e4cda06154b4ddaecf
-
SHA256
cfe0c69074a02d001210dea37467860f345555f67b5b6dd3285a5b1b27fd3375
-
SHA512
0a697a0b215beb478d27c25ac56fc9d29b74d2f11664b2879c8570a9f72cf2fb33f6786ffdd7bb8a16ea89c493632bbb1aabaeaa212548bc4cae04209a912466
-
SSDEEP
196608:coW2igXZICtNDLBFLpej7aBrGupMHclEwKUC2Fc3XugPehXAh:c6igJb1pea5pMHclTKUCCc3Xuh2h
Malware Config
Extracted
cobaltstrike
674054486
http://global.teams-app-cdn.com:443/get
-
access_type
512
-
beacon_type
2048
-
host
global.teams-app-cdn.com,/get
-
http_header1
AAAAEAAAAB5Ib3N0OiBnbG9iYWwudGVhbXMtYXBwLWNkbi5jb20AAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAKAAAAHFVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDEAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAoAAAAYU2VjLUZldGNoLU1vZGU6IG5hdmlnYXRlAAAACgAAABZTZWMtRmV0Y2gtRGVzdDogaWZyYW1lAAAACgAAACJBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIGJyAAAACgAAAA9MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA8AAAALAAAAAgAAAA9hdXRoX3Rva2VuTUgwMj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAB5Ib3N0OiBnbG9iYWwudGVhbXMtYXBwLWNkbi5jb20AAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAKAAAAHFVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDEAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAoAAAAYU2VjLUZldGNoLU1vZGU6IG5hdmlnYXRlAAAACgAAABZTZWMtRmV0Y2gtRGVzdDogaWZyYW1lAAAACgAAACJBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIGJyAAAACgAAAA9MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA8AAAALAAAABQAAAAlfQVBEVEpWUUYAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
300000
-
port_number
443
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6G7Kx2wvKZIWaes10wwEaffYxLROfVyh+PlnNo+qoM1UBnxoGUW+puTi0r6Pfu9/tC6eWEWVhZbw3ead7tviQBhGwXitHXinMbuWdRPSah0x7DcDgVIF5nT9eOc70+a1boTrHvCSq0aeX3Lwd8EWIo2rWBPf3KJZvycr4xt+5twIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.34234112e+08
-
unknown2
AAAABAAAAAEAAAAAAAAAAgAAAAAAAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/post
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.5.00.33362 Chrome/96.0.4664.174 Electron/16.2.8 Safari/537.36
-
watermark
674054486
Targets
-
-
Target
cfe0c69074a02d001210dea37467860f345555f67b5b6dd3285a5b1b27fd3375
-
Size
7.5MB
-
MD5
a12474fa631be7cabad381db9787f6a6
-
SHA1
6ddb41a170c336e20db5f4e4cda06154b4ddaecf
-
SHA256
cfe0c69074a02d001210dea37467860f345555f67b5b6dd3285a5b1b27fd3375
-
SHA512
0a697a0b215beb478d27c25ac56fc9d29b74d2f11664b2879c8570a9f72cf2fb33f6786ffdd7bb8a16ea89c493632bbb1aabaeaa212548bc4cae04209a912466
-
SSDEEP
196608:coW2igXZICtNDLBFLpej7aBrGupMHclEwKUC2Fc3XugPehXAh:c6igJb1pea5pMHclTKUCCc3Xuh2h
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE
-
Loads dropped DLL
-