General
-
Target
66171d820ed1893c567f6be8d28e6ffdb670b1844f6a5a11b0a36cc1bae0bbb2
-
Size
220KB
-
MD5
fa0e50e2e0c1a676b68e7308a9ee1dc2
-
SHA1
6507606570406233f8567a64a9f393da074fd189
-
SHA256
66171d820ed1893c567f6be8d28e6ffdb670b1844f6a5a11b0a36cc1bae0bbb2
-
SHA512
eccf819c6afa7d01d5d0bb78318260c3f3c39343b2cfe9ad895b7423f6a878c84aa96899251148c2556f0ac47328adceb014268103f5904e42c32531a765e9df
-
SSDEEP
6144:dlJ/zWV28CVbOCmOZRODHXLks1YarGR8rj/cQjs7:o9Ubbmc2XLks1YarGR8P9js
Malware Config
Extracted
cobaltstrike
665745135
http://yelp.com:443/gp/aj/private/reviewsGallery/get-application-resources
http://bbc.com:443/api2/json/cluster/resources
http://nytimes.com:443/en-us/p/onerf/MeSilentPassport
http://dictionary.com:443/en-us/p/onerf/MeSilentPassport
-
access_type
512
-
beacon_type
2048
-
host
yelp.com,/gp/aj/private/reviewsGallery/get-application-resources,bbc.com,/api2/json/cluster/resources,nytimes.com,/en-us/p/onerf/MeSilentPassport,dictionary.com,/en-us/p/onerf/MeSilentPassport
-
http_header1
AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAAgAAAAPAAAAAwAAAAIAAAAtZGlzcGxheS1jdWx0dXJlPWVuO2NoZWNrPXRydWU7bGJjcz0wO3Nlc3MtaWQ9AAAAAQAAACA7U0lEQ0M9QU4wLU5SWTRjSkdLOU9sQWU7VG1tdjQ9QwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAA8AAAANAAAAAgAAAARzZXMtAAAABQAAAAJwcQAAAAcAAAABAAAACAAAAA8AAAANAAAAAgAAACl7ImxvY2FsZSI6ImVuIiwiY2hhbm5lbCI6InByb2QiLCJhZGRvbiI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
23040
-
polling_time
15000
-
port_number
443
-
sc_process32
%windir%\syswow64\WerFault -a
-
sc_process64
%windir%\sysnative\WerFault -a
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKpYKHPTr/o+ua/PTe9MpUMy6X0Y2z5l6FBVcrB9Ldm7LHyNkAYH/+neG1nN0l7A9Wd8e2xeRf+xsnhEAXrQ6wJPBx3GTBygGwcp2+25nd46vIOZBsMsSPNdyR7gj7LVabULJUMAKEfhO8i1ruciX5Uz/LI4FnAlUDYdZ8xdT/VwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.0086976e+09
-
unknown2
AAAABAAAAAEAAAADAAAAAgAAAFQAAAADAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/1.5/95648064/storage/tabs
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
665745135
Signatures
-
Cobaltstrike family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Files
-
66171d820ed1893c567f6be8d28e6ffdb670b1844f6a5a11b0a36cc1bae0bbb2
829da329ce140d873b4a8bde2cbfaa7e
Headers
Imports
Sections