General
-
Target
45c3b8fd47b4fedc1a4e3d1da49d0c027a9ba0cc106ba6d0a321ebe8e47e85ce
-
Size
7.8MB
-
Sample
231007-kv2v5sab9y
-
MD5
8e7df7ab7581fd08a1d304c7c001c6d4
-
SHA1
a452cd39b0618855c5aa088981a2d7f204ea84a5
-
SHA256
45c3b8fd47b4fedc1a4e3d1da49d0c027a9ba0cc106ba6d0a321ebe8e47e85ce
-
SHA512
e705c6848e224b0a2dd1ed88bbe58f37f582b6e39190508daba4e517571d3039b2525b6233d4f357811216a42c0851831beef70bdcb044ff21438b02c311053d
-
SSDEEP
196608:0sdiIE7SRpoOQXMyH9onJ5hrZEnhbJMFjfWPZYizpIzC9qA:FiIE7YojcyH9c5hlEnhyFzWPZY/C
Malware Config
Extracted
cobaltstrike
http://1.116.127.12:1666/b9Xj
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Extracted
cobaltstrike
100000
http://1.116.127.12:1666/ga.js
-
access_type
512
-
host
1.116.127.12,/ga.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
1666
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0iXc1ShbkYy6kL8I8s7H6HqY+8ggQGylyvUsNZczn4NvS9B7aWrLtleVIi4gVF8hFv5mOHkoCSIApUbVAGw7LQsUVCebmbPLNQPrgEE2USHslQ1xoJAoUsJ3XGQzIN9xoH6W2mb5usRzNd0IESsEcJGnx5oRFaJ9rvDKkvNGNlwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
45c3b8fd47b4fedc1a4e3d1da49d0c027a9ba0cc106ba6d0a321ebe8e47e85ce
-
Size
7.8MB
-
MD5
8e7df7ab7581fd08a1d304c7c001c6d4
-
SHA1
a452cd39b0618855c5aa088981a2d7f204ea84a5
-
SHA256
45c3b8fd47b4fedc1a4e3d1da49d0c027a9ba0cc106ba6d0a321ebe8e47e85ce
-
SHA512
e705c6848e224b0a2dd1ed88bbe58f37f582b6e39190508daba4e517571d3039b2525b6233d4f357811216a42c0851831beef70bdcb044ff21438b02c311053d
-
SSDEEP
196608:0sdiIE7SRpoOQXMyH9onJ5hrZEnhbJMFjfWPZYizpIzC9qA:FiIE7YojcyH9c5hlEnhyFzWPZY/C
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL
-