General
-
Target
82ef24fe015a14e76ef2564a24dc172c96db81b8ef1635e14b1e33bf507c7c3e
-
Size
4.5MB
-
Sample
231011-22egvsch84
-
MD5
4ca760a0b40a1d4a59c2eea6c5a617f1
-
SHA1
ead85132b9dde1afdc3ed9b43909a1f09c41a363
-
SHA256
82ef24fe015a14e76ef2564a24dc172c96db81b8ef1635e14b1e33bf507c7c3e
-
SHA512
32528698622dabea3d9557014500a5ffba85e03bf56c0f3fb4f08091ed442eb5e85edc2b59c953dc7022e9b2cf1b4943ad7fc4a6f90d709752bb0922af7e12a6
-
SSDEEP
98304:Q4d/+NFMV9JyBNMdUh73NM4wmI8Mf1IjuILiibj1ewc0FOTX4sT6:Q4d/+/w9JAMylBwmhjuyiibppbjsW
Malware Config
Extracted
cobaltstrike
http://119.96.194.181:4466/Rpc
-
user_agent
Host: outlook.live.com Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Extracted
cobaltstrike
1359593325
http://119.96.194.181:4466/owa/
-
access_type
512
-
beacon_type
2048
-
host
119.96.194.181,/owa/
-
http_header1
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
5120
-
polling_time
5000
-
port_number
4466
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwZtr5WmRWGqXa6bxdqQDUmj+XU+vA4zK2b7Nfzq4qy143458ufxXidOMjoSLVP3BqyJgWamd0KYY7Yt3bDmFbWashi7f+OYdWpDNixd5AvcGOOzQhShEZ/0Uz8CG/gc99swyssnxs0YBg9Hka4Wh0ufxO89KSApuLegLE5i1/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
-
watermark
1359593325
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
82ef24fe015a14e76ef2564a24dc172c96db81b8ef1635e14b1e33bf507c7c3e
-
Size
4.5MB
-
MD5
4ca760a0b40a1d4a59c2eea6c5a617f1
-
SHA1
ead85132b9dde1afdc3ed9b43909a1f09c41a363
-
SHA256
82ef24fe015a14e76ef2564a24dc172c96db81b8ef1635e14b1e33bf507c7c3e
-
SHA512
32528698622dabea3d9557014500a5ffba85e03bf56c0f3fb4f08091ed442eb5e85edc2b59c953dc7022e9b2cf1b4943ad7fc4a6f90d709752bb0922af7e12a6
-
SSDEEP
98304:Q4d/+NFMV9JyBNMdUh73NM4wmI8Mf1IjuILiibj1ewc0FOTX4sT6:Q4d/+/w9JAMylBwmhjuyiibppbjsW
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-