Overview

overview

10

Static

static

10

2396-55-0x...ry.dll

windows7-x64

1

2396-55-0x...ry.dll

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    2396-55-0x000007FEF7360000-0x000007FEF740C000-memory.dmp

  • Size

    688KB

  • MD5

    57550e590024488398d141d0d58e6d38

  • SHA1

    ef519409515337f8bd376ebca3ea779110585817

  • SHA256

    f1f8a24251ddeb74ab3d109df9b05a6f002345345119ca9b125903c5587f08aa

  • SHA512

    2db175e0057e9b05c4d766e430bb3bb1b120b86aa4cbb3a55cbd3980a86d1f282845e0094ca05204a8c9a687accf648f19a3ba7c6afcde31fc1fbc649ec8b805

  • SSDEEP

    6144:9R7lJNFr9ptRToednhj2j7lq+bI7+0zVP2PaJSkOYl2TCVVdpDJZWmorGtGjJq/C:9tNFJ7zBAjbIS0wSJSkORCXdpVo2GN

Score
10/10
0cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://111.231.4.143:8440/broadcast

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    111.231.4.143,/broadcast

  • http_header1

    AAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAAB9SZWZlcmVyOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAoAAAAMVGU6IHRyYWlsZXJzAAAABwAAAAAAAAADAAAABgAAABB4LWFtem4tUmVxdWVzdElkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAABwAAAAEAAAANAAAAAgAAAPR7ImV2ZW50cyI6W3siZGF0YSI6eyJzY2hlbWFJZCI6ImNzYS5WaWRlb0ludGVyYWN0aW9ucy4xIiwiYXBwbGljYXRpb24iOiJSZXRhaWw6UHJvZDosInJlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwidGl0bGUiOiJBbWF6b24uY29tLiBTcGVuZCBsZXNzLiBTbWlsZSBtb3JlLiIsInN1YlBhZ2VUeXBlIjoiZGVza3RvcCIsInNlc3Npb24iOnsiaWQiOiIxMzMtOTkwNTA1NS0yNjc3MjY2In0sInZpZGVvIjp7ImlkIjoiAAAAAQAAAAIiCgAAAAEAAAB1InBsYXllck1vZGUiOiJJTkxJTkUiLCJ2aWRlb1JlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwiaXNBdWRpb09uIjoiZmFsc2UiLCJwbGF5ZXIiOiJJVlMiLCJldmVudCI6Ik5PTkUifX19fV19AAAABAAAAAcAAAAAAAAADQAAAAYAAAAJeC1hbXotcmlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    6912

  • polling_time

    38500

  • port_number

    8440

  • sc_process32

    %windir%\syswow64\wbem\wmiprvse.exe -Embedding

  • sc_process64

    %windir%\sysnative\wbem\wmiprvse.exe -Embedding

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFa1qxIDUiowJlCsdVr2cVrVRBshGU3eNsm2UqFQgSQRWwUnoBRdJ68d6RStS5/v9/KR8cTPVqWQmcqQo70+2KRnrVLbLP4FXD9fnN75A/C9WrK5m96vfDqW6gWwwVlfbqsuSIfD37T4L1Jdw2KFUTqyJMMhb1TksZcghFQzbAAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.28716032e+08

  • unknown2

    AAAABAAAAAEAAAUcAAAAAQAAAAEAAAACAAAAwgAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /1/events/com.amazon.csm.csa.prod

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

  • watermark

    0

Signatures

  • Cobaltstrike family
    cobaltstrike
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 2396-55-0x000007FEF7360000-0x000007FEF740C000-memory.dmp
    .dll windows x64


    Headers

    Sections