General
-
Target
ae079a8a0e46c46ec2087c974c78795148fb2dff00d38165d042e34e239840f7
-
Size
11.9MB
-
Sample
231115-kx1qvsgf4z
-
MD5
9db4021c24db6ee7d031936f86aae672
-
SHA1
74fe959be7595fdf477b54d7c2a7d6864313202a
-
SHA256
ae079a8a0e46c46ec2087c974c78795148fb2dff00d38165d042e34e239840f7
-
SHA512
4bdf78e891cf3a1f0cbd1d38ff6021fbcf0ca9c3180a5bde567ce7001a0b5943c46316616cbc63fb9467207d0a16f29d9413036ef8cd20e0d5364cbe0eda91f9
-
SSDEEP
196608:0oCI6k9M6VIsPWWwOE7af500z6sXSzrq7KZMRaZAJr6L0H/3M+ZgVVolIAk:BCRT5OUO536s2q7sMRHJ+Y0SgVKlpk
Malware Config
Extracted
cobaltstrike
100000
http://47.92.31.78:80/socialapiVersion=1.1
-
access_type
512
-
host
47.92.31.78,/socialapiVersion=1.1
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAdSG9zdDogb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20AAAAKAAAAKVJlZmVyZXI6IGh0dHBzOi8vb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEZXRhZwAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDNXFfUSnRiMrus01oooCz6LOvdmjEE+7t+6lWJPjRacCsjD36xkeHkaQzYHqBIcp+IjzNOQWAkZeqSKWsWAdUzYDFb4JxRk+REfYtFkqJdO6vJYr9HeSBbcvIVifI4mnpePP5LjtfV9x8AHu1EGqJVJ6LIkucf4QWdZlyxuV5pQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.657621248e+09
-
unknown2
AAAABAAAAAEAAAdZAAAAAgAAB/IAAAACAAAD+AAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/socialapiVersion=2.0&include_base=true
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.26
-
watermark
100000
Targets
-
-
Target
360hbtheme/360hbtheme.dll
-
Size
18.1MB
-
MD5
409837cc5ea19c916d8c14fd3739fd5e
-
SHA1
fced3169c6b3d43f14baab9659f99cd1e5cd563c
-
SHA256
6ebd682d580cd848e0b21db2d95d69a9a827f7faf1d5b6defc6f990f38aabcb3
-
SHA512
383fc3738462d211682c53be4a9622fd63998be1dc2be9a3bd1732ca1e79faf84c9bcf7ea806eeebe4f6f663b26b66bfc2a1f77e98f8cbf3e468482a430a1c99
-
SSDEEP
196608:pd5mDRzElNjBUXFFEUlc6+KQJmz84MisKkw4G/hAJdW:5URmNjOnTc6+V1is+BpAJU
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
360hbtheme/360hbtheme.exe
-
Size
221KB
-
MD5
343f45d0971313b045ed3d3ad4f88469
-
SHA1
a89c8460e7433270b02afc832680b5ba61dd9882
-
SHA256
880ddcd3677bbd1106592ff78ba0ecaf771ddb94c4a33a2b54fa047e42c79640
-
SHA512
6e2b6c49c0b3d15d87cc8b3af2cc935173aa0efc4866d3acaa58fa020f99e87de6011ffe41dc97ed24b2db2ec9e634e2e3cf39abd73fa2385b2bcbbd94f6cc9e
-
SSDEEP
3072:4A/0I3ZWwMcd+P8KdfKsM8x1aTKsgFPgAgXq/TRO1uBFygyjNgK1dADYFe:JpW3cd+P8Ois3Fj9trPygySK1XFe
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
360hbtheme/360hbthemeOrg.dll
-
Size
2.4MB
-
MD5
73310f303b4005076df39f7beec4835d
-
SHA1
50f4a0964ed6ddd575e83ded9c012a5c395dae0f
-
SHA256
1e7a0dff91975b80330faad8ca1faa17879b2158dc956e83125f4876bbbc691f
-
SHA512
21cf60571671522ea7171eef45725dadd4d9f3b08370021f8409ac857e7a6ca8a5fc0acb72037d1ba7b9cb10004c998f6bba008358a62c1ad8825e1229add6f8
-
SSDEEP
49152:F9jW5RvDAnskbk5PbipK8RIJkE5d/EmR5eM:FpGvCbEkETLmM
Score1/10 -