General
-
Target
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
-
Size
93KB
-
Sample
231120-fnve9sdh75
-
MD5
b6fb8b50cbfa81b70b4657069710c226
-
SHA1
5679e8026721e338612ac5d987a7739e5673177d
-
SHA256
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
-
SHA512
a15a4d45917232900bd5be0ddf9d77e7870d0d9f4b1df0069bf34289731ed83a826f54b377765e7b98c72b76ec29780698ac1deac94bdcde1dbf8bacef20f511
-
SSDEEP
1536:uYhEyx42txwW3Te8eUaOBfRxMTr0ylZVEw9YDC7i50OD:u4Rxwq6XUaOBfRxMTIUVEwee77O
Malware Config
Extracted
cobaltstrike
http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/bootstrap-2.min.js
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
Extracted
cobaltstrike
20410727
http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/api/x
-
access_type
512
-
beacon_type
2048
-
host
service-a0y8baw1-1319935181.bj.apigw.tencentcs.com,/api/x
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12800
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTWV74mUQ+mRv5G12a9zODYqH4hd3vN8wA5KM1K3qxHkx8PMfWuxuzFPJTbTmmP/psUSaIxASMDmgFAenz3/yOWa2GZRhGhYsxPzqZ3I9pFkF+QUzwhc8fWqWwOJv66NmlHQGJLc2kG3H4GT15QDwwz2TZ8NVMfeDzPuVcpJGwCwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/y
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
-
watermark
20410727
Targets
-
-
Target
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
-
Size
93KB
-
MD5
b6fb8b50cbfa81b70b4657069710c226
-
SHA1
5679e8026721e338612ac5d987a7739e5673177d
-
SHA256
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
-
SHA512
a15a4d45917232900bd5be0ddf9d77e7870d0d9f4b1df0069bf34289731ed83a826f54b377765e7b98c72b76ec29780698ac1deac94bdcde1dbf8bacef20f511
-
SSDEEP
1536:uYhEyx42txwW3Te8eUaOBfRxMTr0ylZVEw9YDC7i50OD:u4Rxwq6XUaOBfRxMTIUVEwee77O
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of SetThreadContext
-