General
-
Target
225cc67c17f88f2d9ae521c46191e2c8c46b8592c5dc3737dd6d9c45c0abbb8c
-
Size
287KB
-
Sample
231116-yq4e3agd4y
-
MD5
5a71647cebf9715dc6b9c6ca580fde9d
-
SHA1
1a61390f5f27af9b72aa1d6f4c8f1dcfe0061b63
-
SHA256
225cc67c17f88f2d9ae521c46191e2c8c46b8592c5dc3737dd6d9c45c0abbb8c
-
SHA512
a751d5b07d94260a4877b7db772a3fe47db8d795b53ffb19b16f9d285b2466eae19f05890d283eb3fff6397ed2d1fed9663cb90258d7a67504af3902306e727b
-
SSDEEP
6144:z7y3NBvmjTs1fFpNcipNj7ilqr2bC2Gt8Toqi9vjuCDYIi:cvmjTePjeqr2WX8ToqOvqc
Malware Config
Extracted
cobaltstrike
100000
http://search.karesse.com.cn:443/home/page/data/pageserver
-
access_type
512
-
beacon_type
2048
-
host
search.karesse.com.cn,/home/page/data/pageserver
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2FwbmcsKi8qO3E9MC44LHY9YjM7cT0wLjkAAAAKAAAAG1NlYy1GZXRjaC1TaXRlOiBzYW1lLW9yaWdpbgAAAAoAAAASU2VjLUZldGNoLVVzZXI6ID8xAAAACgAAAB9SZWZlcmVyOiBodHRwczovL3d3dy5iYWlkdS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogemgtQ04semg7cT0wLjkAAAAHAAAAAAAAAAMAAAACAAAAfVNMPTA6TlI9MTA6Rkc9MTtCRFNGUkNWSURfQkZFU1M9bktLdlYzVERZTEVPd1hQc3AzTEc4dS1FRzBQdG9hR2R1Xy1veDhFZWY4ZzBNNTtCSURVUFNJRD1DQjQ5MDYyMkUwNkVENzM1NDQ3MDhGQTZFQzg5O0JBSURVSUQ9AAAAAQAAADw7WkZZPW1IblJ5OkFVTGxXMkNCZVYzUjFWQTpDOyBkZWxQZXI9MDsgQkRfQ0tfU0FNPTE7IFBTSU5PPTEAAAAGAAAABkNvb2tpZQAAAAAAAAA=
-
http_header2
AAAACgAAABpYLUNsaWVudC1WZXJzaW9uOiAyMDIxMDgwMwAAAAoAAAApQWNjZXB0OiBhcHBsaWNhdGlvbi9qc29uLCB0ZXh0L3BsYWluLCAqLyoAAAAKAAAAG1NlYy1GZXRjaC1TaXRlOiBzYW1lLW9yaWdpbgAAAAoAAAAfUmVmZXJlcjogaHR0cHM6Ly9iYnMuYmFpZHUuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAIAAAA3QkRTRlJDVklEX0JGRVNTPW5SLU9KZXhyN1RtdS1FRzB0VkowTTU7X19iYWlfZHVpZD1GTj0wOgAAAAEAAAA8OkZHPTE7UFNTSUQ9MWY4M2EyZjgwNzg2O0hfQkRDTENLSURfU0ZfQkZFU1M9dFJrRHFuZU1ENW9MM0Q7AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAACAAAAWXsiZXZlbnRfdHlwZSI6ImxvYWQiLCJwYWdlIjowMSwidXNlcl9mcm9tIjoid2ViIiwiZXZlbnRfbmFtZSI6InZpc2l0ZWQtaG9tZSIsImxvZ19pbmZvIjoiAAAAAQAAABUiLCJjb2RlIjoiMTE2MDgyMzg4In0AAAAEAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaL0WK8YTwM7xVya1sV/EyUuUIVtplE56rdGXax1+m91S5ik/ToRBOGPxu8uEr0p30yzvPhiFdttFES1bad4iZ/McumyDbFM2aBIFc2ld+kUfKykYIKXTva/iuujFxemOFZj/VSNrl4zmGVNvsozyb5xQ2Fnq3m0R9CfxG7OuIYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.44502272e+08
-
unknown2
AAAABAAAAAEAAAAlAAAAAgAAALUAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/content-search.xml
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.3600
-
watermark
100000
Targets
-
-
Target
225cc67c17f88f2d9ae521c46191e2c8c46b8592c5dc3737dd6d9c45c0abbb8c
-
Size
287KB
-
MD5
5a71647cebf9715dc6b9c6ca580fde9d
-
SHA1
1a61390f5f27af9b72aa1d6f4c8f1dcfe0061b63
-
SHA256
225cc67c17f88f2d9ae521c46191e2c8c46b8592c5dc3737dd6d9c45c0abbb8c
-
SHA512
a751d5b07d94260a4877b7db772a3fe47db8d795b53ffb19b16f9d285b2466eae19f05890d283eb3fff6397ed2d1fed9663cb90258d7a67504af3902306e727b
-
SSDEEP
6144:z7y3NBvmjTs1fFpNcipNj7ilqr2bC2Gt8Toqi9vjuCDYIi:cvmjTePjeqr2WX8ToqOvqc
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-