Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 02:45
Static task
static1
Behavioral task
behavioral1
Sample
dns.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
dns.exe
Resource
win10v2004-20230220-en
General
-
Target
dns.exe
-
Size
278KB
-
MD5
474f97c398acabd752d618cf48ba116f
-
SHA1
74374fc327b5a5598ee9708e42d2220976efe3ae
-
SHA256
a6d97592c43e13e9e21f35b4f4569e2bb97300a6f95a13fd335f8f46cf08870a
-
SHA512
c7afa61b786778309e10941cbd735dc80ac8a5891d2018bb26815f96e8ca2a05e9a5f336e086639c6a419b2a510fd9dcdbb87399a3ce93bd5e579f42f9110cfc
-
SSDEEP
6144:8Rdbxl2UIdF4JD+jxKrSvVePwnEfnNSlvaGS:8Dr2UIv4l+jYmvVb4nNSl8
Malware Config
Extracted
cobaltstrike
305419896
http://dns2tcp.yangsir666.top:53/wp06/wp-includes/po.php
-
access_type
512
-
beacon_type
256
-
host
dns2tcp.yangsir666.top,/wp06/wp-includes/po.php
-
http_header1
AAAACgAAAB5SZWZlcmVyOiBodHRwOi8vd3d3Lmdvb2dsZS5jb20AAAAKAAAAa0FjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzLGVuO3E9MC41AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
30000
-
port_number
53
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtCn5iCi+YLOzSHzWWGn0CAC/24ExcoUg5jIv7S+rccrM37+W3/gIZ+1T5oX1w/T0g48YrU+loE6CwdwRc1LfvnnQ0UKhbqNJbtlUAwAvNzQBZTVTQ2iSCmCfLtaZCSOCCFlwCTduzHhF6aaSYk9MAbos7dPjIpXe5atK5+K8EzwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.998553344e+09
-
unknown2
AAAABAAAAAEAAAAWAAAAAgAAAIAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/includes/phpmailer/class.pop3.php
-
user_agent
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.