General
-
Target
10X.zip
-
Size
81.7MB
-
Sample
230816-hlem5sgd32
-
MD5
3dd8f4af90cbd3433dbdf45e4d410579
-
SHA1
219a5f70bbc7b89e7d8ee1a78244af3114430c08
-
SHA256
751b8ab3828a9f3a67d511c8b376cffa895807a7ea39e4e98cc9bec04f06949a
-
SHA512
ff31838f7ad2ad7dee4141229cce5667380c48c0ddd56fb0158de341ad1ff65ae7021c194a3dce930108c9023fcdc3e479d467caabe082a919554b81f6650d4b
-
SSDEEP
1572864:KjJw0I6hjhypKuwZAfcvr1e7H/IQbQjQs80Bc4y0PCfK8L01o8RN1erPTfCKD2:GJw76dI7avJRR80BSQSr01owjQPT6s2
Malware Config
Extracted
cobaltstrike
391144938
http://events02.huawei.com:80/mall_100_100.html
http://kunpeng.huawei.com:80/mall_100_100.html
http://developer.huawei.com:80/mall_100_100.html
http://ngcdn010.cnr.cn:443/dist/css/bootstrap.min.css
http://events02.huawei.com:443/mall_100_100.html
-
access_type
512
-
host
events02.huawei.com,/mall_100_100.html,kunpeng.huawei.com,/mall_100_100.html,developer.huawei.com,/mall_100_100.html
-
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABpSZWZlcmVyOiBodHRwczovLzEwMDg2LmNuLwAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAMFJlZmVyZXI6IGh0dHBzOi8vc2hvcC4xMDA4Ni5jbi9tYWxsXzEwMF8xMDAuaHRtbAAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFHNyY2hmcm9tPW5SS2p4elpSUnh4AAAACQAAABJmaWVsZG5hbWU9Q3pMdUV4S2wAAAAJAAAAFHNlYXJjaHNvcnRpZD1NYnpTRW5CAAAABwAAAAEAAAANAAAAAgAAACphaWRfPTUyMjAwNTcwNSZhY2N2ZXI9MSZzaG93dHlwZT1lbWJlZCZ1YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCha1/DygnSgCoAgwMk/GihyCo7dDPfT9Ly3GOl1ftTj2Uw+GxllMDpvpKcZ6z4N6nreBEOLLF57EaEjRJCP+6rOT5ckkVftdwd0mFbvSZR7epvPGRZVvJwkBNSBgcy1RmabLK9yvDA/EqTXkBFubPkdbosM8ieKziaIwNksgSSZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.03243264e+08
-
unknown2
AAAABAAAAAEAAAglAAAAAgAACCUAAAACAAACyAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ajax/recharge/recharge.json
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
391144938
Extracted
cobaltstrike
http://8.140.53.131:8441/cp9Q
http://192.168.174.131:443/mT6f
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)
Extracted
cobaltstrike
100000
http://8.140.53.131:8441/updates.rss
-
access_type
512
-
beacon_type
2048
-
host
8.140.53.131,/updates.rss
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
8441
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcyZ40siKaJNbJ8o8NEC0NFSq0FRGvk+5Nq2pC40JWDY8uGsYaHLNGOPjoUW002n15BT8+mcresZwxdxLebbTNe85dP5hzxJ3p9NvJEsFf9jnmGOGDUsVHPg4zO2D164fjl1ql4W/6iJPeGmCMeVcEiXeUfZNntIHvItUg492wowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
1.exe
-
Size
19.5MB
-
MD5
fb1f8eac10dc30dacda6de2418ceb68e
-
SHA1
a3b5b905c2bd28a7290460be99a5d5185cf601a0
-
SHA256
d0e07185e94799aeb86b32dba29f54fb2ad27633a3f827c9f7158c01379be4fa
-
SHA512
56c7017063577264043d0e0fe374266222b71e38749406582be184e6e721a7652bd96279f65362df759a4417d2ed79c08eebb77911790a74375530c1f4c424b2
-
SSDEEP
98304:GH0Hjkn7MifezpcC1F44HSUZKWSIUbGYjExuy3jiEoj+KR0edbGY:q0wcaCrqrGbxOTxbGY
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
10.exe
-
Size
24.8MB
-
MD5
c333b4f9a2ce4898db1802c445d05a50
-
SHA1
fb033e9d14c196c97c070d73ba9c64e8cbd6f783
-
SHA256
392cb3f6e2ba57262d688c1532e41f878784f293294791552555fa253eb98fbf
-
SHA512
e839cfb9c956099e9380f83f3b4a2a181a604b18a91fa1589aca9ed151a3f413f3b3393ad21c2efb6575e3f863f0c18195d4d09ed3e3279c61260ae62fa40301
-
SSDEEP
196608:IqPk8/F1liNbxyT8pZ8Pp1+p8Fiknxn194AexYg:DkgF21xyT77888M1mAs7
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
2.exe
-
Size
27.0MB
-
MD5
22e35bfac5e47a3debe223d1b7903612
-
SHA1
18467cb472c987ee3e87fa6f5b947e3e61fd27d0
-
SHA256
f4ab0d7831f40339cc4ee4cff9b1c2270e438afa01599d2f354c178abab5e975
-
SHA512
eeb414681ff33de8f3b6b1a06b3fc6b503999b3aa8e108cc2cd51b7fdffc94dfb09ebf34c33ea1da047805d10ceee4dfed9200ae63e4f69f4347d66e506e2ff2
-
SSDEEP
196608:QbwtaWzsMdseGaYKIV0BW2hi7IZ2ABxn7BDJm1n:uwKMdiaY/V0QNG/TBtqn
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
3.exe
-
Size
12.2MB
-
MD5
df2acf16751124667faa3dcf353bd4c1
-
SHA1
7ee16bcc413e2111f8a82cfea4cda2ff2b2e0be8
-
SHA256
7ddc479ac8da482f2ed0e41e64967b73ef2f65ba783baeb12887767a861b44e2
-
SHA512
c29d9597a3e0f77fabb90908901b55855133104cdee9d139aa6592ff57fe5c67ff88cdb67be81bdf85187cd3f63c05ac19af760bbb6e43cb70de1917c79edc7f
-
SSDEEP
98304:p+mpIC6U39pSIsHE/ybpjtgucjDS5tYGa2kl5+8oond7DWVgckHAutJbe:p79Zpl/OUW5tFaDl5TnJqVJkgut
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
4.exe
-
Size
2.6MB
-
MD5
a14a70c9382dafae8082b96692fb6126
-
SHA1
703b869b3d102c18bc1ea7f8ebe9732049cbd710
-
SHA256
7a54e2ff0dd51979498b05c96e134b5e08bfa3a6c470c31590b6dfb7467e9ea4
-
SHA512
e72a8731ab0a9ea180a8b9c00d3d015a18a28434daec01a365fb47ef906ce3c8f7e03dda133769204f4b387f1eae882d3ff541d6d4566e66e26f3c6dd3b5d532
-
SSDEEP
49152:sylqBU83Orb/TKvO90d7HjmAFd4A64nsfJ2U4OOiTXg4tpqbCAb1qQz7eVJiyvpE:Y3MJQuVJws
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
5.exe
-
Size
14.4MB
-
MD5
4b760df2d12695d676f80c9a2161c50f
-
SHA1
3a731986bc0c211c44b6bbba8f7409d3a3393e77
-
SHA256
6ef88b0238d639a377a80cb9c86b90af71644cd8e975a516b2c49e5ecdbc4c01
-
SHA512
ea1fb4ce35e6c34ddeae6422b1c146870798a3f7831bfe082538fff059bf7d0b97858da5bb6b9af220b1d51c583a4b8f07b9c80366b0ef7f4389af71f5bd56ae
-
SSDEEP
98304:j9T1GUwoRbdsOlFEDq7W2m2zFwgbaEjtDjwr7Us1eI81:j3bdQ+7pm2zFjaE5vI7U
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
6.exe
-
Size
21.8MB
-
MD5
c1c83ab28c4c8777fc6e506636acb876
-
SHA1
c42662f48b8aff9e50a917996219f4dedffbff95
-
SHA256
267fff0fe5a2cbe7a27f201cd32f4b5ebe3d1581d756efdd692f087593185144
-
SHA512
cc58497fd527631b1debd98a70cc8f1894989d933de8bb439ded9f7dedc292c25864c2f9d313e5ffd8fb5e64da02e2166b7d9ee326a6ba83bf1fc615f8251a55
-
SSDEEP
98304:vOuJR0GD7/qQfuMuSqEBPdAVy7ApUwl+ZsThEqCrBwjMG9FDqOpZ/BG:vOhiqI16DTiqeBcMGTuOf/BG
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
7.exe
-
Size
7.9MB
-
MD5
91cd982a3db2f6cb6ebc6289aadc3afe
-
SHA1
19351cce4c570680dac3e15a1ff6b36fa295d693
-
SHA256
f63781f3d406e813901ce2dcf652b0dbcd2e85632359dfb424c43d8f8f98c875
-
SHA512
58866b141fcd098233e66da705f54c1c076ae3d99a1f715d8286f02b605e134a73a7b5df5433cd33b084bd700635606f4b83b6cc4353a71c7db808f0e02575ac
-
SSDEEP
196608:d6v8Zk5dQmR8dA6ly8Qnf2ODjMnGydS8a8M2d0AEflIt4tRw0:4qk5dQJl6F3MnG3842t8Cuw
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL
-
-
-
Target
8.exe
-
Size
8.6MB
-
MD5
5e639f8c34e0b9942a9fb179112e6655
-
SHA1
04db25f7d87e3931607df2fa5b2494accedb479c
-
SHA256
b0111a5e13a87cf356995a136eedbd783377f8947c774a8a950cba8fb0e9b43f
-
SHA512
8b37ca71de6d2458ccdde6ecbaa9f0977fbd8d7707d520cedc1c0ac74d01053cc2ee43372fd04710cc98545c85a3ad3bc7b40651323e30fd57cfa20f1c2b4a59
-
SSDEEP
196608:epd5a4FMIZETSwjPePdrQJTEOXBNOquwg:fQETSwvJIkOqu
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL
-
-
-
Target
9.exe
-
Size
27.3MB
-
MD5
4d215bb4112c723953a80f083fba09e5
-
SHA1
b897b77dbb6dd732d8ba9ed6cfbe9df33dcf5b03
-
SHA256
043417850052333a42c356efd94e5cde95ca0af87ccb6cab4befffbe7fb50a2c
-
SHA512
6e1e9e6404d57304bf332b815ba974e1377962f7aa217b533314e24731d28abf75763d8cf08b84eca5c2f83b6ea97300f2c82927d3fe1249d0ee1e306eee81b1
-
SSDEEP
196608:8F+8xinViPxKUWBO5HG0zuhhFqGMnMffZpOvXBwysDIPK:boYoWtzACfyvXBwysDIPK
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-