General
-
Target
c56b7305f91e9d83acf40825e1258b8a633fefc2ccf2bf460d3db1c9dab0b97a
-
Size
416KB
-
Sample
230912-tm7wvsgf44
-
MD5
6c569cb15e1d67e8da738a7e070f7a48
-
SHA1
39667591443b46ffe97d5be1d8c54be2d96430cf
-
SHA256
c56b7305f91e9d83acf40825e1258b8a633fefc2ccf2bf460d3db1c9dab0b97a
-
SHA512
f225002a9aedfe01c71cc7d9738ca0d187cc7f932b8395f3c0170c08c3e28af2470ca2c07e5e661d4440b0e76ac88bdc467e17e8557ad4d43f27952bc031cc5f
-
SSDEEP
6144:o29kXbQlag4kbE5ZB0niXYEajN/0SMFsIDRg7PnRk:o2Ebdbk0Zkz5NTSsIDWPRk
Malware Config
Extracted
cobaltstrike
1
http://service-danrwqax-1301060684.sh.apigw.tencentcs.com:443/modules
-
access_type
512
-
beacon_type
2048
-
host
service-danrwqax-1301060684.sh.apigw.tencentcs.com,/modules
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAcAAAAAAAAADQAAAAMAAAACAAAAGHdwX3dvb2NvbW1lcmNlX3Nlc3Npb25fPQAAAAYAAAAGQ29va2llAAAACQAAAA5kYnByZWZpeD1mYWxzZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
68868
-
port_number
443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwcAtV5Vnx2SSjjVi4Y9f8z2CmCbtwkSaYSDjfpVHndwYrit6KFrBHrn/rBuWUelhprYY/7b2f33VVFG5KmuJMHMOso7MbyxvfsGWo35WZ5cB+c/xsiN3pUad/Ob9LPKrZ4IMGuFQZGqfcL2gN3LX+NwCjbK0dudMoDHAsm7G6wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/eso
-
user_agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
-
watermark
1
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
c56b7305f91e9d83acf40825e1258b8a633fefc2ccf2bf460d3db1c9dab0b97a
-
Size
416KB
-
MD5
6c569cb15e1d67e8da738a7e070f7a48
-
SHA1
39667591443b46ffe97d5be1d8c54be2d96430cf
-
SHA256
c56b7305f91e9d83acf40825e1258b8a633fefc2ccf2bf460d3db1c9dab0b97a
-
SHA512
f225002a9aedfe01c71cc7d9738ca0d187cc7f932b8395f3c0170c08c3e28af2470ca2c07e5e661d4440b0e76ac88bdc467e17e8557ad4d43f27952bc031cc5f
-
SSDEEP
6144:o29kXbQlag4kbE5ZB0niXYEajN/0SMFsIDRg7PnRk:o2Ebdbk0Zkz5NTSsIDWPRk
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-