General
-
Target
a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563
-
Size
6.6MB
-
Sample
231024-f68evaag8w
-
MD5
78926bedc1443515fc3fecefaef71d3a
-
SHA1
a552abc794ba66ad9e7e4cdd60dc0183b5e3f054
-
SHA256
a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563
-
SHA512
b4c836d391dfe80a0e84eda0cb24dd8c16d3230639ab5a2315611fbdfa05af7ec69f82f6192f4292e19ed9945e7638d6eb50ef612110c10b4bbd347973eba434
-
SSDEEP
196608:kcFaxmvdsCnc84njQthsiHzYSEz7kAzZW9y:zaUvaCncdnKhsay7w
Malware Config
Extracted
cobaltstrike
http://103.101.205.55:2333/pR3h
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)
Extracted
cobaltstrike
391144938
http://103.101.205.55:2333/cm
-
access_type
512
-
host
103.101.205.55,/cm
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
2333
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChjal7EGSVmle25QWETISuLg+zIQO37PeEPIaS10sC3bFZ1MH3lFSVi2goW8mJhn4API+4eTA76kt9hv4+JIkeNse/N9kdGMmjedjR3CxdPWYR4nsk5VjF0IdNQVFfeUaUjK6iaYHvORDYuqO9InPwVBCWlch3PpI3GuTR8HS8FQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)
-
watermark
391144938
Targets
-
-
Target
a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563
-
Size
6.6MB
-
MD5
78926bedc1443515fc3fecefaef71d3a
-
SHA1
a552abc794ba66ad9e7e4cdd60dc0183b5e3f054
-
SHA256
a05ceff0fd2f29d1b12927db895e25d86870da6ebf7825e8599e196f56cf2563
-
SHA512
b4c836d391dfe80a0e84eda0cb24dd8c16d3230639ab5a2315611fbdfa05af7ec69f82f6192f4292e19ed9945e7638d6eb50ef612110c10b4bbd347973eba434
-
SSDEEP
196608:kcFaxmvdsCnc84njQthsiHzYSEz7kAzZW9y:zaUvaCncdnKhsay7w
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL
-