General
-
Target
19X.rar
-
Size
17.7MB
-
Sample
231116-jjkl2sgb83
-
MD5
703e04361ca1e3a3f50c519dc72969df
-
SHA1
515ec03934a9731c157367092935eed3cb22570e
-
SHA256
b6fbd300520e46f761b778cfc7595b43db385c79a1d7e4c4ce40e782f78a1c01
-
SHA512
74faa807deb7e03ad5f22244cd7556b0d7c3e22efb90bdad61590581128e6e3062b461af150bcac4ee7c638c1369ed5ea2a6a881d9c258ad76220d9c63f48ce4
-
SSDEEP
393216:xFYpkGpGjixj+wg6DfEqVYpFgKeZVzjJfNCVFZyxze3z8Gpmc4:TwX/Z+qDcqCngKe73DCVFoxz+zLpy
Malware Config
Extracted
cobaltstrike
100000
http://23.105.197.219:4433/dpixel
http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css
http://45.32.26.214:443/IE9CompatViewList.xml
-
access_type
512
-
beacon_type
2048
-
host
23.105.197.219,/dpixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
4433
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
http://45.32.26.214:443/qMTK
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)
Extracted
cobaltstrike
987654321
http://101.33.196.232:50080/g.pixel
-
access_type
512
-
host
101.33.196.232,/g.pixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
50080
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFvNsNMz+wjKBz8+fAbCDfp8OlTq80fRxt9K0GPS+NksQsIwJiMrpPyqCNkV7e6Kp6zhlRcnnSXF3CCQZabTqKzy2MPrgzrN5u2Ck1hcKZD78r0xc++4DlyY0vT2LVPG93cZ6NUzP5libC1qkHsgFZiiLso8zMNvSje5hQk2hBMQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)
-
watermark
987654321
Targets
-
-
Target
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe.vir
-
Size
3.8MB
-
MD5
f8b1ed547729841918abbea9d2dedb55
-
SHA1
d35a443f87abae38de4980e2a83762a6619ec183
-
SHA256
8ccf7db0910464d7424b2d2d7366838d6dfc71f9de474d96b05275b1ae97d290
-
SHA512
27a579794d59a6cbd8391e1f785f0e93b6f87f8fad6937cac908a87422eff9f33a40b069eb74d4556565425bad1d1b0e83f0cc220cf34f0b99a5faece5daff38
-
SSDEEP
98304:GgqM4j53BslobUytMfeUUzeeQY+fSOs0B4/:GQo3BXbUSXzdQP0B
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
Due invoices Mazaya_pdf_pdf.vbe.vir
-
Size
253KB
-
MD5
3919f2651d3a2150d2b0f4a524a21d4d
-
SHA1
73afa41f4077944a60cabb33039c0b2b53beaa19
-
SHA256
65483583f447318ebd71f370c19ac7a6b17bf6a88519d6bc0c8ed364e4c8c4af
-
SHA512
51e2cfb4dc884a6b95688290842781584294123f60ea725b2e1e9f38ad9c927f86c753958708889b44e015479188edcf649ac03302aa4f93066aa2f4559c2905
-
SSDEEP
6144:yim4VdU4dGdvf7ctWjc+wHRGUTAmyRFnc+Jg1m8mLIxCH:yyyjRtYtmiCH
Score1/10 -
-
-
Target
tools-读取浏览器敏感信息.exe.vir
-
Size
2.7MB
-
MD5
18a10beb3838795efe07c622dc8f8f03
-
SHA1
81ec86eb1739e62c7b53e18e63d30f38389c442e
-
SHA256
17f271033078f2f2eece8eee32675ce6c1c8daf46fff03c7b0d533ff0eea04db
-
SHA512
8d9d8b80b6a60531b5df0e162fbf8ecb02ebe97ce011ce6c130d1afa3dcee7e4833467995855e459a4e7ab83fb9727ee6c43629f4afe328ee4ec31186080ec7f
-
SSDEEP
24576:WA/6cfDiOoLAERYdIfkYRiP1mxgZJeNAPT6mCVo2007Uef5JGKRnT1ivjx637DI5:WANDiOoLxYdI7ksWy9egRfcYt
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
信息收集模板.scr.vir
-
Size
50KB
-
MD5
49fabc0fad474cee7e352548ff0ca4e2
-
SHA1
03715013403f35a45e58f19c29f13ed007f7521e
-
SHA256
b5555ceee159bce03bbe42fe99ce0266908431aef6aca5a3dc84b54ac141972b
-
SHA512
3673da807e816c470365a466f628d82ac5f3ef25efa49acdcf66bdd5048a8ed5595aea04d0d30f809780e993a79c82e5493475494a28ffd602405b5fa8b7ef25
-
SSDEEP
768:PsCV043oy9FnDaVzDubBeuiP3CYO+eNfcF4Soker6qQ4HyWOPHxT+scX2v:PsCV0O3D6uUuHYOjNfcqJgqxOZcG
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
公司资料.exe.vir
-
Size
3.8MB
-
MD5
dc2e923303897fb5004c34693dc2eb74
-
SHA1
92006b30ecda6a1c091d9f7f8a4c1f060f3b9188
-
SHA256
6cb75a4a8d2dbfaca87e837cf411fde1bb5b0cffd9a09f5e8bb077d9b385a446
-
SHA512
606f67640ad9be15b4275f409b430c476150219bee941a69adf4519dc229cbcd6ea20e71bff8be9204916682731941e0c315d1421dc115115cc1ae78bc32e807
-
SSDEEP
98304:GgqM4j53BslobUytMfeUUzeeQY+PSOs0/4lf:GQo3BXbUSXzdQ/0Nf
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
安全检查资产上报收集表-20231103-___xlsx.scr.vir
-
Size
48KB
-
MD5
abcca3f54a53769573ea56017d98f83b
-
SHA1
ee0d28c358aa299422b92fb648feb7ee9788eef6
-
SHA256
bdc2b1fa8b1bfc0a01577f524cf54bf1cea087d39396e915c943d3304fcab03f
-
SHA512
a217a2466ea355aa998d8b2f4643246f782e0d5ab01827cf80622b1fcbacbe9c478fb777a1ed510e6170fcdfe7d80519155a769e2d68bf4193894275ce3b6968
-
SSDEEP
768:fkzyZG7SI3/5UOwVxzgXs/RH3KYO+eNfcF4Soker6qQ4HyWOPHxT+scX2v:fkziG/ejwYOjNfcqJgqxOZcG
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
提交材料.exe.vir
-
Size
3.8MB
-
MD5
aacf37fe5bddbad79fe940b129e4ab20
-
SHA1
fa3b2b05bbf9fe0f076de647ee1b4d4c49e06c59
-
SHA256
fa84c2b8cd4846e1c224d7dfb26e3737393b5fe13738b8d725d9b3815f9b0be1
-
SHA512
28f69ea85c4fbf0e98b60db5c17d1bca1c152d75e63c676e0deb4dceb244d95cad5bdf9a407c6638b4e42eaf90ca565521892fcf196265a375693a681d416a87
-
SSDEEP
98304:GgqM4j53BslobUytMfeUUzeeQY+ySOs0q4R:GQo3BXbUSXzdQC0c
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
李志-账号密码记录-解压密码-20231116.exe.vir
-
Size
13.4MB
-
MD5
2c8fb8705dbce5899bf596163a9b077a
-
SHA1
7233623d12b409760193c0be6fbb4b330fc74788
-
SHA256
ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3
-
SHA512
22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40
-
SSDEEP
98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
陈力-病例.exe.vir
-
Size
2.8MB
-
MD5
10c96aedcd2ed82fe26d937e7e29285f
-
SHA1
2d608da10f568af323d10710040e47aa67e4d470
-
SHA256
68872f9505bff7b151ff544de1916635f2df003db63fa3cc288d953d3895389f
-
SHA512
01b5eb4dd7b8089a58994ddbb3dc0499ada0cf1bf7bcfb1cc30acfb4c2e5a2ebb8b8a4a032d0bf76816ea2022d5bfa12544b7fbd74017221a81dedfda3001968
-
SSDEEP
49152:Q7RFAhs1nZUm9fe15Fg2UQ+UZnqctKj8mngNMjZ42xI0:0RF5AlqcG87Ojlx
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-