General
-
Target
c1706a.zip
-
Size
4.0MB
-
Sample
230713-qxqhsagh66
-
MD5
ae297f8e3850e52a150171aba3838b15
-
SHA1
1acad01a18699a088b517013673a85b7ea9f484c
-
SHA256
951b16126fd1535144451e2ce1ce64f60b4561d26ff46b9cc02e8c45b588d50b
-
SHA512
efb549bd05956a7a94ae6bdac5f911086ff627e283522a60ed715ccecd974217dda2897fcb6bcc9acc6a67fc431eeb8b307faea8bbdb3141e0832ac88895df8c
-
SSDEEP
98304:4BQZF1zyT7EFeUWqhEluMS4CLIXw6xMAg+/u/FQOJcOeUa:4ef12UEUWJuMS4CLIw1TXcbJ
Static task
static1
Behavioral task
behavioral1
Sample
c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
metasploit
windows/download_exec
http://service-mtrar14d-1316554402.sh.apigw.tencentcs.com:80/login.js
- headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Extracted
cobaltstrike
305419896
http://service-mtrar14d-1316554402.sh.apigw.tencentcs.com:80/admin/login
-
access_type
512
-
host
service-mtrar14d-1316554402.sh.apigw.tencentcs.com,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIf+L6CRq3zedgU1uZz4WOlB5l3w5EVVWHZ6p1yS6ZMJbWzyRDP004C9SyOdlHOEanHAbFHM4En1P/hLVjfGgf0CcN3Us546Z6dXynqT3lqxDm+X0Svfu1fb1Dj2UqQofIOV61p5nbh9HTzbsyOq0f6BeQWZkdQjYV+pbtOecc3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Targets
-
-
Target
c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714
-
Size
10.1MB
-
MD5
350d037d53042430fc27afd5167606f6
-
SHA1
46ccecd5fc0a86b8b9f2a09cd4109303db77c804
-
SHA256
c1706ae8952eda2d79781eb7f9992dd62da2ea85532a4f4891e693b15a95f714
-
SHA512
5156976355d8357d250500eca1afa15f53520f1b954105772dbcb8b94baad007be5f2930cbbeeedc8359c1c67f02cfd6199317453b817c3aec57242f1a477d2e
-
SSDEEP
98304:hQB5yCVQ8FzUxC8MkCCywTN+TKmlyM1ifMYXEwh:h25yOzL8MkCCvTN9MgfMYXb
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-