General

  • Target

    0c96b3517b389205be5b8f629410e6da432e66f3cbde964f376534e218953a37

  • Size

    159KB

  • Sample

    231020-t16wqaeh38

  • MD5

    8dbf208b889461065a224adfb2ae9772

  • SHA1

    e7816ab790005aa613f951dd64b05af7951a15cd

  • SHA256

    0c96b3517b389205be5b8f629410e6da432e66f3cbde964f376534e218953a37

  • SHA512

    7a064f2c758c6d40604ff955881c16d66362d7e416b9e10054a277f30a94520ca3a4195ce4b336a74a0a154bb32f72af0af2ae552b8fe4d4186659775c1088f3

  • SSDEEP

    3072:zqPrDoPMFQjq5zhSJ8REJ84j+pQXslS8cDN0YleImqyTJJHJBS:zszSJkErclMD+YlT3oH

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://192.168.1.11:80/owa/

Attributes
  • access_type

    512

  • host

    192.168.1.11,/owa/

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    GET

  • polling_time

    10000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTGlQVYEKx+zEx/XlvnRZHkR4XgeWa6eMBAUG9gpgqOd0Gz2Szgc0nTBqfh75B1qHdxHyaFiW6FM/VOzDCKUEb2XKVeExuPT3bEfDMjZgkGv9ixXhUb5Hp4TmSgoRNVh4AOqLC/tiYMnSmwhGcEh0507I0n+pH/IWD8ZceZbcDQwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.448416512e+09

  • unknown2

    AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /OWA/

  • user_agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

  • watermark

    100000

Targets

    • Target

      0c96b3517b389205be5b8f629410e6da432e66f3cbde964f376534e218953a37

    • Size

      159KB

    • MD5

      8dbf208b889461065a224adfb2ae9772

    • SHA1

      e7816ab790005aa613f951dd64b05af7951a15cd

    • SHA256

      0c96b3517b389205be5b8f629410e6da432e66f3cbde964f376534e218953a37

    • SHA512

      7a064f2c758c6d40604ff955881c16d66362d7e416b9e10054a277f30a94520ca3a4195ce4b336a74a0a154bb32f72af0af2ae552b8fe4d4186659775c1088f3

    • SSDEEP

      3072:zqPrDoPMFQjq5zhSJ8REJ84j+pQXslS8cDN0YleImqyTJJHJBS:zszSJkErclMD+YlT3oH

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Matrix

Tasks