General
-
Target
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
-
Size
4.4MB
-
Sample
231220-mjvnssacbl
-
MD5
32d056a2aa49444e85234ed0fab81cdb
-
SHA1
c9e154ce4f6d12980d1aa4d7ba7e3b447bfa6626
-
SHA256
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
-
SHA512
69e24b858b88abeb2ad800ef916d198c7bb9d2ae2cbb398851ae2ae2316923a93e7f50ca7a73dcefba5da932c8c98b9780876b7e5bd0862c6058204d1bd8cc84
-
SSDEEP
98304:lR+MuHOJeihJ7GNUOiGyUu+mkZjkqaJlb2WPspkFO+/W83:lmHm7oFfTu+DZgtOWUpGt
Malware Config
Extracted
cobaltstrike
100000
http://121.36.230.220:1433/mp/getapp/msgext
-
access_type
512
-
host
121.36.230.220,/mp/getapp/msgext
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
5000
-
port_number
1433
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFuKYQt1zNXFqCdxN+bU8dNSNp4sOpNTjHqGGpTaKDTeq1XYdsr0D/D+jxTBDSbrZNRFlpYch0PII1QMy1ptYfAeX5tblsjgLIkuPE6gPNc6XzoXkJe3kPsP00ZUy18cWH+cmm8XMoEf5Vul5KRg/hXvsr5L5vKzVUi1py/JDGowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mp/wapcommon/report
-
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
-
watermark
100000
Targets
-
-
Target
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
-
Size
4.4MB
-
MD5
32d056a2aa49444e85234ed0fab81cdb
-
SHA1
c9e154ce4f6d12980d1aa4d7ba7e3b447bfa6626
-
SHA256
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
-
SHA512
69e24b858b88abeb2ad800ef916d198c7bb9d2ae2cbb398851ae2ae2316923a93e7f50ca7a73dcefba5da932c8c98b9780876b7e5bd0862c6058204d1bd8cc84
-
SSDEEP
98304:lR+MuHOJeihJ7GNUOiGyUu+mkZjkqaJlb2WPspkFO+/W83:lmHm7oFfTu+DZgtOWUpGt
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-