General
-
Target
9cf34fe70b1b17f1c789e56bdf2686bb6866554eab5d6edf22796482f71737fb
-
Size
478KB
-
Sample
231214-deyefscea8
-
MD5
457f8cc036b7c4ba4d57a6ec225df4b9
-
SHA1
d3e3994be2b07e7394fbe346011dec57823f2ffe
-
SHA256
9cf34fe70b1b17f1c789e56bdf2686bb6866554eab5d6edf22796482f71737fb
-
SHA512
5cf1c7c279867c7101d640704147c18c301d75a10c404391ef45dfc26254a49b36f6a813a13382e48d2cab87c20908c04693cd10e855c882d98690e0ea6b6704
-
SSDEEP
6144:rv2umH9QvZtTzXXiVk4Y8B8xJw5O7CagCS+mKnkW2ZKVuAHyxiZq2jFgFr:rv2hKvTEk4MK5kCtlWkNYcYH8r
Malware Config
Extracted
cobaltstrike
1359593325
http://34.32.0.249:443/admin
-
access_type
512
-
beacon_type
2048
-
host
34.32.0.249,/admin
-
http_header1
AAAAEAAAABJIb3N0OiB3aGF0ZXZlci5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAADQAAAAEAAAAELnBocAAAAAUAAAAEZmlsZQAAAAkAAAALdGVzdDE9dGVzdDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABJIb3N0OiB3aGF0ZXZlci5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IGVuAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAABAAAADQAAAAUAAAAJdGVzdFBhcmFtAAAABwAAAAAAAAANAAAABQAAAAJpZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
8448
-
polling_time
37500
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMwuocfWgnoTHTJZP5GNeltlFx7fOaWdt9i8Ko3AlY0eHdNx02E6vHNrAxBVbDvBAlW8IuzUrsiRlzq3UmAqdtrsskXremk8j3AB73Xch2j2zp9uM+KiE2+ZMH//aApC6Mxp8lME9nRTolGOwveUBCESsFNyqtr1sp/0xw2rNb8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.06174464e+08
-
unknown2
AAAABAAAAAEAAAAIAAAAAQAAAAgAAAABAAAACgAAAAEAAAAGAAAAAQAAAAsAAAABAAAAIQAAAAEAAABFAAAAAQAAADcAAAABAAAAQwAAAAEAAAAbAAAAAQAAAA8AAAABAAAAGQAAAAEAAAAgAAAAAQAAAEgAAAACAAAAEAAAAAIAAAARAAAAAgAAAAsAAAACAAAAHwAAAAIAAABQAAAAAgAAADwAAAACAAAANgAAAAIAAABFAAAAAgAAACYAAAACAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/Config
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
-
watermark
1359593325
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
9cf34fe70b1b17f1c789e56bdf2686bb6866554eab5d6edf22796482f71737fb
-
Size
478KB
-
MD5
457f8cc036b7c4ba4d57a6ec225df4b9
-
SHA1
d3e3994be2b07e7394fbe346011dec57823f2ffe
-
SHA256
9cf34fe70b1b17f1c789e56bdf2686bb6866554eab5d6edf22796482f71737fb
-
SHA512
5cf1c7c279867c7101d640704147c18c301d75a10c404391ef45dfc26254a49b36f6a813a13382e48d2cab87c20908c04693cd10e855c882d98690e0ea6b6704
-
SSDEEP
6144:rv2umH9QvZtTzXXiVk4Y8B8xJw5O7CagCS+mKnkW2ZKVuAHyxiZq2jFgFr:rv2hKvTEk4MK5kCtlWkNYcYH8r
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-