General
-
Target
8b6eb18e2b8b50f03163586f83de6fcd
-
Size
361KB
-
Sample
231219-yqh45ahadk
-
MD5
8b6eb18e2b8b50f03163586f83de6fcd
-
SHA1
321dec1452e1ae0ecbf02028bde785338b07f800
-
SHA256
1ee4dbd1da27ff32a0d6870255edf998872b088dee6ea8ae074f5fb1def53cca
-
SHA512
4a11a66c1418a40be84f74bf9b990254a49cfef9d1c3214633debdfc25ed207fb73640326caed7eb0772a1ff86ee3890f254c0b65fc9c9bd8c25cb8666c7c563
-
SSDEEP
6144:7afAqT1sVdWF0hDHkRqvRNvlMD7N7lGK3D6eN5InGIeUHrOw:73PWFuA++DhlGK3D625T
Malware Config
Extracted
cobaltstrike
426352781
http://3.12.32.111:80/safebrowsing/fp/ocJ82CqxbIWhMkWzS376aJssMy5G0Frfdd
-
access_type
512
-
beacon_type
2048
-
host
3.12.32.111,/safebrowsing/fp/ocJ82CqxbIWhMkWzS376aJssMy5G0Frfdd
-
http_header1
AAAAEAAAABFIb3N0OiAzLjEyLjMyLjE2OQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAA0AAAACAAAAB1JFRj1JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABFIb3N0OiAzLjEyLjMyLjE2OQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAA0AAAACAAAAC1U9MTkzdTgxMTQxAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
6656
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\svchost.exe
-
sc_process64
%windir%\sysnative\svchost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmf/tt3qlYme1elo83LWwqc8WftVw4/ZTJakdAdhID5tOP7jpV1Q98LhhXGKNnrBH3vpnYJEmmGM0OsexjtfQJDmjxa1NYRwQfRwPFbkkdRraAC2HwmlouB98H1Wroixp955neMjGA3xelB6CNhSi4HwrXs4+piHZ9xWOQgIOhgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/fp/lSkLaNbGAUm955fHYGvQpnRry7kPjY6yaPUx5mKwOEJr3
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4242.0 Safari/537.36
-
watermark
426352781
Targets
-
-
Target
8b6eb18e2b8b50f03163586f83de6fcd
-
Size
361KB
-
MD5
8b6eb18e2b8b50f03163586f83de6fcd
-
SHA1
321dec1452e1ae0ecbf02028bde785338b07f800
-
SHA256
1ee4dbd1da27ff32a0d6870255edf998872b088dee6ea8ae074f5fb1def53cca
-
SHA512
4a11a66c1418a40be84f74bf9b990254a49cfef9d1c3214633debdfc25ed207fb73640326caed7eb0772a1ff86ee3890f254c0b65fc9c9bd8c25cb8666c7c563
-
SSDEEP
6144:7afAqT1sVdWF0hDHkRqvRNvlMD7N7lGK3D6eN5InGIeUHrOw:73PWFuA++DhlGK3D625T
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-