General
-
Target
74057f4fcab0de99d81f524dda36fa3f6246c0e51b018ad6ec65a29d6f6a2b98
-
Size
1.2MB
-
Sample
231219-s9554sbbf8
-
MD5
9564316adb5618c5acc56728cc7b836f
-
SHA1
912d72b7259bac351457356690dc2d904e776758
-
SHA256
74057f4fcab0de99d81f524dda36fa3f6246c0e51b018ad6ec65a29d6f6a2b98
-
SHA512
90bd6957eb7060f7955896988a62f38a16f24d9e5d287482d205f3bf5332b22ef46d1b5ef23b171e76ca9812d15e29e5d23036457120f992834b6d9d15b07b19
-
SSDEEP
24576:BotzOo2Cc1cjWrxCvvjwFx18ZYz8YNWP+WOMpk:BRzza8NWP+WOMp
Malware Config
Extracted
metasploit
windows/download_exec
http://207.148.107.170:8805/q7ZZ
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
Extracted
cobaltstrike
1359593325
http://207.148.107.170:8805/_/scs/mail-static/_/js/
-
access_type
512
-
host
207.148.107.170,/_/scs/mail-static/_/js/
-
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAVPU0lEPQAAAAYAAAAGQ29va2llAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAAZETlQ6IDEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACQAAAA11aT1kMzI0NGM0NzA3AAAACQAAAAtob3A9NjkyODYzMgAAAAkAAAAHc3RhcnQ9MAAAAAoAAAA9Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7Y2hhcnNldD11dGYtOAAAAAcAAAAAAAAAAwAAAAIAAAAFT1NJRD0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
3840
-
polling_time
60000
-
port_number
8805
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEl918h7Pb7CFGdKfq+HJvbbpmUaokEvVEsNLepGMKAetL9+G8VVKmqQSItUjrBT+QOcTUcGQ8BcTqDPTBIcEA0WiIiICSZf1Ia0xQXYqyDKghmmcnxtVaIe5ztx4WLN9JRvCUr7kl6GMmIgI/axHUHUz5IvcZbRTKmUytTChpMQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
5.37071616e+08
-
unknown2
AAAABAAAAAEAAAF3AAAAAQAAAPoAAAACAAAABAAAAAIAAAAcAAAAAgAAACQAAAACAAAAEgAAAAIAAAAEAAAAAgAAABwAAAACAAAAJAAAAAIAAAARAAAAAgAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mail/u/0/
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
-
watermark
1359593325
Targets
-
-
Target
74057f4fcab0de99d81f524dda36fa3f6246c0e51b018ad6ec65a29d6f6a2b98
-
Size
1.2MB
-
MD5
9564316adb5618c5acc56728cc7b836f
-
SHA1
912d72b7259bac351457356690dc2d904e776758
-
SHA256
74057f4fcab0de99d81f524dda36fa3f6246c0e51b018ad6ec65a29d6f6a2b98
-
SHA512
90bd6957eb7060f7955896988a62f38a16f24d9e5d287482d205f3bf5332b22ef46d1b5ef23b171e76ca9812d15e29e5d23036457120f992834b6d9d15b07b19
-
SSDEEP
24576:BotzOo2Cc1cjWrxCvvjwFx18ZYz8YNWP+WOMpk:BRzza8NWP+WOMp
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-