General
-
Target
52b01ddb760d8a898025c29e38ec85393abf6a809c5115dc74b1101ee8a84d01
-
Size
485KB
-
Sample
230818-k2bbrsaa4x
-
MD5
77ffb0d3a377853ec5728a57c19f925f
-
SHA1
41793238a7f029265fcf045a0a7263f260c49f5c
-
SHA256
52b01ddb760d8a898025c29e38ec85393abf6a809c5115dc74b1101ee8a84d01
-
SHA512
f636a751e62a22d8835b7d34069dd597aeafa5ff3310219573a26be55f8cc3f61f285c22d5993f2b35fa376f062db05bcdbc69314efaa0e759fb302e53a8fc9c
-
SSDEEP
6144:b0tYuBYbrAcsd6rn7u9SDta2AMtUIIbli1BBqcrnh1hVpXBzprWdqmNHQLD7Of:bcOAcuq7ASw2AM5b2crvpxs8mHQq
Malware Config
Extracted
cobaltstrike
100000
http://captcha.jincheng4917.cn:443/api/v3/account/login/qrcode/scan_info
-
access_type
512
-
beacon_type
2048
-
host
captcha.jincheng4917.cn,/api/v3/account/login/qrcode/scan_info
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2FwbmcsKi8qO3E9MC44LHY9YjM7cT0wLjkAAAAKAAAAG1NlYy1GZXRjaC1TaXRlOiBzYW1lLW9yaWdpbgAAAAoAAAASU2VjLUZldGNoLVVzZXI6ID8xAAAACgAAAB9SZWZlcmVyOiBodHRwczovL3d3dy5iYWlkdS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogemgtQ04semg7cT0wLjkAAAAHAAAAAAAAAAMAAAACAAAAYEhtX2xwdnRfOThiZWVlNTdmZDJlZjcwY2M0OT0xNjg5NzUyNTQ4OyBkX2MwPUFGQWF0VjNja0dqZnkwUVN2az18MTY4OTc1MjU0ODsgY2FwdGNoYV9zZXNzaW9uX3YyPQAAAAEAAABNO1NFU1NJT05JRD1pSDk4Z3VVVlhVajJsZVN3OyBKT0lEPVVGRVNCVUxOeF9VVUo3MFUwcjRHdjF5dlItZ3U3bkxmM3dXekVkb0dSMD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABpYLUNsaWVudC1WZXJzaW9uOiAyMDIxMDgwMwAAAAoAAAApQWNjZXB0OiBhcHBsaWNhdGlvbi9qc29uLCB0ZXh0L3BsYWluLCAqLyoAAAAKAAAAH1JlZmVyZXI6IGh0dHBzOi8vYmJzLmJhaWR1LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAACAAAAYF94c3JmPXVKMnFxYjFFUFQ0MkcyM2FmVjM7IF96YXA9YmM3NzQ0ZWItODdhNi00ZGYzLWE4MzUtN2Q1OTc4NTVkMzgwOyBIbV9sdnRfOThiZWVlNWE1MmI5NzQwYzQ5PQAAAAEAAAAnO0tMQlJTSUQ9Y2RmY2MxZDRiZGEyY2Z8MTY4OTc0OHwxNzUyNTQ1AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAACAAAAWnsiZXZlbnRfdHlwZTIiOiJsb2FkIiwicGFnZSI6MDEsInVzZXJfZnJvbSI6IndlYiIsImV2ZW50X25hbWUiOiJ2aXNpdGVkLWhvbWUiLCJsb2dfaW5mbyI6IgAAAAEAAAAVIiwiY29kZSI6IjExNjA4MjM3OCJ9AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCob32D6dU7qf8KsvLx4JyS8MajH6r5XxxUGWimNofk3p24qhCyqt/qQUZl35HA+fx/SymsU4nBxfFuzrUTuIzhUMyORCOQhg/iSPEYp1QmcvMwJzq4MRCv602qRPfjB/bxHwNbQntqJeHROMhe/ULHfWcQk18WxtJldbkEKPt3XwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.44502272e+08
-
unknown2
AAAABAAAAAEAAAAkAAAAAgAAALYAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/v3inv2/za/logs/batch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.3600
-
watermark
100000
Targets
-
-
Target
52b01ddb760d8a898025c29e38ec85393abf6a809c5115dc74b1101ee8a84d01
-
Size
485KB
-
MD5
77ffb0d3a377853ec5728a57c19f925f
-
SHA1
41793238a7f029265fcf045a0a7263f260c49f5c
-
SHA256
52b01ddb760d8a898025c29e38ec85393abf6a809c5115dc74b1101ee8a84d01
-
SHA512
f636a751e62a22d8835b7d34069dd597aeafa5ff3310219573a26be55f8cc3f61f285c22d5993f2b35fa376f062db05bcdbc69314efaa0e759fb302e53a8fc9c
-
SSDEEP
6144:b0tYuBYbrAcsd6rn7u9SDta2AMtUIIbli1BBqcrnh1hVpXBzprWdqmNHQLD7Of:bcOAcuq7ASw2AM5b2crvpxs8mHQq
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-