General
-
Target
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
-
Size
651KB
-
Sample
231118-frpdesbd88
-
MD5
aba2b3ab5fefecbab8b28a8fdce0c0d0
-
SHA1
5ac23d773992a2b6564583bc9622c3d56ec7d526
-
SHA256
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
-
SHA512
5270e517b5f6ad94239808a09b2f07115a399db19c1cfe207b874bdff9b571cd5251ec8d92b02a6eb9efa9d5735818ba2dc9c2b38b3e786c55af31a4e6ac6a25
-
SSDEEP
12288:BubsNSOetfARQAPyXUzX+tLfLzE3h6aRyaGt2:BubsnafAPykyfLYEiGc
Malware Config
Extracted
cobaltstrike
1234567890
http://59.42.194.18:7777/pixel
-
access_type
512
-
host
59.42.194.18,/pixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
7777
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJBl3JeZjFQGCzw3ZcefRHfn6pHEp+iRk4bh00wquUQwUGTjd6Ll2I61mHcfa97MjSS0LRsq6+Os3du6P6i79Q54x2IE++G5ptyJGl89HPNj4IF2j9jIrDqoCIrwf09JPz/Zd+PbB0lcsaXsH6CiLsdSk/zw35Czm/wjUkfQUS/wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
-
watermark
1234567890
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
-
Size
651KB
-
MD5
aba2b3ab5fefecbab8b28a8fdce0c0d0
-
SHA1
5ac23d773992a2b6564583bc9622c3d56ec7d526
-
SHA256
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
-
SHA512
5270e517b5f6ad94239808a09b2f07115a399db19c1cfe207b874bdff9b571cd5251ec8d92b02a6eb9efa9d5735818ba2dc9c2b38b3e786c55af31a4e6ac6a25
-
SSDEEP
12288:BubsNSOetfARQAPyXUzX+tLfLzE3h6aRyaGt2:BubsnafAPykyfLYEiGc
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-