General
-
Target
43e286c8e051f308a7e1f85c2a5f68e623a55d86b39cab01d3abcc0e74a629ad
-
Size
464KB
-
Sample
231205-wyncpsdh51
-
MD5
c3d75e2fa447502714f41e5e5f59e41c
-
SHA1
c0841ce59d8dcf78b8b7f8fdfc613b3c9053a076
-
SHA256
43e286c8e051f308a7e1f85c2a5f68e623a55d86b39cab01d3abcc0e74a629ad
-
SHA512
341561a7f335cdfbd45404267189e79121be3f5fd2bac067cdd3c163e0e3046e80e88899dbd8b07be3771446516afdaf1155f45480141f1b6aa007910d0136a8
-
SSDEEP
12288:M+JPL6Cel4ObDPFXmhRDFEZ4lnwpKk+Jfsh:dJP6uObJWhxFEZ4lnwAk0sh
Malware Config
Extracted
cobaltstrike
1234567890
http://38.54.81.4:443/Gateway_helps
-
access_type
512
-
beacon_type
2048
-
host
38.54.81.4,/Gateway_helps
-
http_header1
AAAAEAAAABBIb3N0OiAzOC41NC44MS40AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAoAAAAlQWNjZXB0LUxhbmd1YWdlOiBlbi1HQjtxPTAuOSwgKjtxPTAuNwAAAAcAAAAAAAAACAAAAAMAAAACAAAAK3dvcmRwcmVzc19kNmMwNDA1ZTBkN2FiMThmZDRlNmEwYjc0ZmNlNDBiMD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABBIb3N0OiAzOC41NC44MS40AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAlQWNjZXB0LUxhbmd1YWdlOiBlbi1HQjtxPTAuOSwgKjtxPTAuNwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
56245
-
port_number
443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb2d1Pft3yev9PNANTXtA2HrkfVqRKNqhi/XQBq0Y/X1lP3rXcEYZbQ0mzVuGIhWKyXWg9suCj3IFVgwGOZvDcKxJCpmYun+j4PdNiscibrvHdtDZrtcOs+9N3AZF6WZifEm4W7unZBNd8rP6HSg4SeHhS7cobwXxkCdwfOjaJpQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.477861376e+09
-
unknown2
AAAABAAAAAIAAAbnAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/network_connect
-
user_agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
-
watermark
1234567890
Targets
-
-
Target
43e286c8e051f308a7e1f85c2a5f68e623a55d86b39cab01d3abcc0e74a629ad
-
Size
464KB
-
MD5
c3d75e2fa447502714f41e5e5f59e41c
-
SHA1
c0841ce59d8dcf78b8b7f8fdfc613b3c9053a076
-
SHA256
43e286c8e051f308a7e1f85c2a5f68e623a55d86b39cab01d3abcc0e74a629ad
-
SHA512
341561a7f335cdfbd45404267189e79121be3f5fd2bac067cdd3c163e0e3046e80e88899dbd8b07be3771446516afdaf1155f45480141f1b6aa007910d0136a8
-
SSDEEP
12288:M+JPL6Cel4ObDPFXmhRDFEZ4lnwpKk+Jfsh:dJP6uObJWhxFEZ4lnwAk0sh
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-