General
-
Target
2807b84c02a3bc1285f3c7294147f0aa75e7a43c34448273adb15c7526e9ae1c
-
Size
4.6MB
-
Sample
230924-h86p5sef52
-
MD5
82f01266856d3758e6a4139724b34b9d
-
SHA1
938b294984db5555b5b94a60e82dec80884ccd44
-
SHA256
2807b84c02a3bc1285f3c7294147f0aa75e7a43c34448273adb15c7526e9ae1c
-
SHA512
24b8faf53fce9c068b79c4480209baebff9a9866637f54cbaf40dd14dbfc68cc35c18b416f7b415355315133b7030466b55ae30d33e0459fd28273fe1404142a
-
SSDEEP
98304:c/I4upEw9DbIKHTezTLIlOUOAgmx6gIg0rV+KZTch2H+3SrP:c/tup1gKHTqTclOUaMdlW/Fch2HeOP
Malware Config
Extracted
cobaltstrike
http://119.96.194.181:4466/Rpc
-
user_agent
Host: outlook.live.com Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Extracted
cobaltstrike
1359593325
http://119.96.194.181:4466/owa/
-
access_type
512
-
beacon_type
2048
-
host
119.96.194.181,/owa/
-
http_header1
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
5120
-
polling_time
5000
-
port_number
4466
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwZtr5WmRWGqXa6bxdqQDUmj+XU+vA4zK2b7Nfzq4qy143458ufxXidOMjoSLVP3BqyJgWamd0KYY7Yt3bDmFbWashi7f+OYdWpDNixd5AvcGOOzQhShEZ/0Uz8CG/gc99swyssnxs0YBg9Hka4Wh0ufxO89KSApuLegLE5i1/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
-
watermark
1359593325
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
2807b84c02a3bc1285f3c7294147f0aa75e7a43c34448273adb15c7526e9ae1c
-
Size
4.6MB
-
MD5
82f01266856d3758e6a4139724b34b9d
-
SHA1
938b294984db5555b5b94a60e82dec80884ccd44
-
SHA256
2807b84c02a3bc1285f3c7294147f0aa75e7a43c34448273adb15c7526e9ae1c
-
SHA512
24b8faf53fce9c068b79c4480209baebff9a9866637f54cbaf40dd14dbfc68cc35c18b416f7b415355315133b7030466b55ae30d33e0459fd28273fe1404142a
-
SSDEEP
98304:c/I4upEw9DbIKHTezTLIlOUOAgmx6gIg0rV+KZTch2H+3SrP:c/tup1gKHTqTclOUaMdlW/Fch2HeOP
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-