General

  • Target

    0a83626cf498751ee78185bd3b06a884dd511ce5c70c4af2f24d4a4385181aa9

  • Size

    631KB

  • Sample

    230923-m8nxjsef3w

  • MD5

    fd94904ed62387c1c783699971c0b9f6

  • SHA1

    9b38b685f67975e3d1ad1ca0496c20557e88d033

  • SHA256

    0a83626cf498751ee78185bd3b06a884dd511ce5c70c4af2f24d4a4385181aa9

  • SHA512

    1456bbccfe753a4b5238667d0c99bef7a53e370598352c02cf512056a67ceee09ee68a425d08fc46a9caa4ffb6c0454aa7ad3606ef1017a451b9fd901004801d

  • SSDEEP

    12288:r2df9EIHvM4PiOIpHoFGWagW/PO2ugUumsLzX9EAmD:Kp9E4vM4PxGHCBW/PO2iIvX9

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://62.234.60.92:80/introduction/edr

Attributes
  • access_type

    512

  • host

    62.234.60.92,/introduction/edr

  • http_header1

    AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAADFRlOiB0cmFpbGVycwAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAAAAAA0AAAACAAAABUFOSUQ9AAAAAgAAABlfX1NlY3VyZS0zUEFQSVNJRD1ub3NraW47AAAAAQAAACM7Q09OU0VOVD1ZRVMrQ04uemgtQ04rMjAyMTA5MTctMDktMAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IHRleHQvcGxhaW47Y2hhcnNldD1VVEYtOAAAAAoAAAAkUmVmZXJlcjogaHR0cHM6Ly9lZHIuc2FuZ2Zvci5jb20uY24vAAAACgAAAAxUZTogdHJhaWxlcnMAAAAKAAAAIk9yaWdpbjogaHR0cHM6Ly9lZHIuc2FuZ2Zvci5jb20uY24AAAAHAAAAAAAAAA0AAAAFAAAACF9fZm9ybWlkAAAACQAAABNzcmNodWlkPWtzSFZ0cGdoYUtRAAAACQAAABFzZWFyY2hrZXk9RGZNaVZBbAAAAAcAAAABAAAADQAAAAIAAAAqYWlkXz01MjIwMDU3MDUmYWNjdmVyPTEmc2hvd3R5cGU9ZW1iZWQmdWE9AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • polling_time

    12000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN6R831GW6+s2ZJ3gpTTuFiJ/J+x5FZb38Zo8bqcctoTF9OwvxMi7zSDJ0wly93NkX1yYtOMMI7OVUR0m6D0Yl6imeZM+S9WRA+UZBTI/w/hAwT35ScEzwkF9ZVSw+jUkUadw9IFCj8oFC6dJW0TI70KU/TS8DUTOaFyZv7reN8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.103793152e+09

  • unknown2

    AAAABAAAAAEAAAA/AAAAAgAAAD0AAAACAAAAPQAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/artical/tag

  • user_agent

    Mozilla/5.0 (iPad; CPU iPad OS 10_3_4 like Mac OS X) AppleWebKit/532.1 (KHTML, like Gecko) CriOS/30.0.834.0 Mobile/77D555 Safari/532.1

  • watermark

    100000

Targets

    • Target

      0a83626cf498751ee78185bd3b06a884dd511ce5c70c4af2f24d4a4385181aa9

    • Size

      631KB

    • MD5

      fd94904ed62387c1c783699971c0b9f6

    • SHA1

      9b38b685f67975e3d1ad1ca0496c20557e88d033

    • SHA256

      0a83626cf498751ee78185bd3b06a884dd511ce5c70c4af2f24d4a4385181aa9

    • SHA512

      1456bbccfe753a4b5238667d0c99bef7a53e370598352c02cf512056a67ceee09ee68a425d08fc46a9caa4ffb6c0454aa7ad3606ef1017a451b9fd901004801d

    • SSDEEP

      12288:r2df9EIHvM4PiOIpHoFGWagW/PO2ugUumsLzX9EAmD:Kp9E4vM4PxGHCBW/PO2iIvX9

MITRE ATT&CK Enterprise v15

Tasks