General
-
Target
svchosts.exe
-
Size
17KB
-
Sample
230830-nvebmabe47
-
MD5
19506a320774448a32c28b1a8578b07e
-
SHA1
ca5111ccf3d824204ce03e6b7eaaa38917e094f1
-
SHA256
ca0ab7838b74437f417ecfd636f16d3967aa4cb99209cdfa49e5ca2b00501c61
-
SHA512
50314936532e86400dac245c1c1ffc311735ec5fa8017d792b0819f2cb18c22858b917717431cc3d59a643fd7f6ac2f01cbe91a3928b73386476c0d02617c415
-
SSDEEP
192:UDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4XqhBUbOj6kxiY:UDMAoKz6WtKEj7aBDirhbAY
Malware Config
Extracted
cobaltstrike
http://150.158.155.208:8011/m4oM
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
1
http://150.158.155.208:8011/updates.rss
-
access_type
512
-
host
150.158.155.208,/updates.rss
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
8011
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsxG4t0U1/agDUiCA+oKzrQz/PIKsCMTAi5Rslzeb2ToyBV1Qt0wnrbOH2Ne1R1t5VbtUkNW2U9Q37YBtCJq2N27Idmm9LNx/6jhMqZtQJ6c0aDX7LGf2rQXWfw2wiS70G0/j7TpB1A7OwZKSwROU8qCbp9LtDHuCXU404j05sbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
-
watermark
1
Targets
-
-
Target
svchosts.exe
-
Size
17KB
-
MD5
19506a320774448a32c28b1a8578b07e
-
SHA1
ca5111ccf3d824204ce03e6b7eaaa38917e094f1
-
SHA256
ca0ab7838b74437f417ecfd636f16d3967aa4cb99209cdfa49e5ca2b00501c61
-
SHA512
50314936532e86400dac245c1c1ffc311735ec5fa8017d792b0819f2cb18c22858b917717431cc3d59a643fd7f6ac2f01cbe91a3928b73386476c0d02617c415
-
SSDEEP
192:UDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4XqhBUbOj6kxiY:UDMAoKz6WtKEj7aBDirhbAY
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-