General
-
Target
983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26
-
Size
10.8MB
-
Sample
231220-pvpb9saehr
-
MD5
df52964662919c40540e44a733501be6
-
SHA1
6bc0b72a5ee619675701a89aeb06de5349c24adc
-
SHA256
983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26
-
SHA512
6a07311144702a70fbd65b20a0b485b86aaec8bc9ce8d652c9dcb3690fcafbea56fb53938aa93ef31c5a9e51ac462444ba0fb03fca0cfe8652605c816d1d7c6c
-
SSDEEP
196608:u5myCz0SuUhRJ3w3E8cmpic8LMHP+ZBhZxVHcRfz8Bvs0fCWHyYqxyR3rTCGtMJp:u5mXIULJ3R8cmFM5ZBh1aIBrXHyYqxyC
Malware Config
Extracted
metasploit
windows/download_exec
http://47.94.43.210:8080/kRJU
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://img.uioqwea.xyz:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
img.uioqwea.xyz,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
-
Size
7.0MB
-
MD5
f6e04055431833bc4d1b6320a89c15ee
-
SHA1
567b7e0559f4d2f5510381f179300186902e7c7e
-
SHA256
02fd7b85fe499dfef76647a2e994ed7d653ab578a5b30a5bb62f4b760b7361d7
-
SHA512
2006f54fd500a1c80024aec4e039302d04301293f09c076d153f6560608cc3f7c7f3efef0396ef31c4d0e268fbf2023a7460b02e8ec7c7b4edc7355c5e04e492
-
SSDEEP
98304:Q9IaSBLM5fWaSBTM5YM3Tr+zorfuwFMdexTo0Je:+SgS8DrpuEMdexVJe
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
-
Size
161KB
-
MD5
825e2130602a24baa154aed0690d162e
-
SHA1
d6f854c6d7367b09e164426defdf917f7f7bfd87
-
SHA256
0e3924cc51ffcc4647a52f1133ec1d9be6ed29122266cc1b2ff18e396e1e001b
-
SHA512
1eea713f9f32612a02ea66c119d0726d52399c992f1f43259fdb3941354d0df1fc0cd7c5f772ad33e71e9b4b3f4ca934a4cb42d89fbb8120d5949bfac66d721b
-
SSDEEP
3072:4qeqAYEUXPn07862jhhEoEivMcGaZd6JylxKppiRe6PHd+K:lEUX87mEoEkMcGaZMJyD8piA6F+K
Score1/10 -
-
-
Target
1/AggregatorHost.exe
-
Size
353KB
-
MD5
0e76274b5ea373ca9744d3070b981eae
-
SHA1
6e306a9a65f286418bd69905963acd5d70b68e94
-
SHA256
032ec772a00bc1de43fed9d289c38853c56a1ea8dfd2a037b8c482e92a5cb14b
-
SHA512
fafbbf3c1f66bd9dc62ed24dbcbf139000a98baaa0cef56fbcad4346cf5859e236c6fb6968f433772daa92dce7d9d3e41c1b3167a00b4652ec57e6e95c2e7739
-
SSDEEP
6144:hM7Mhq/8SBfUnY8sX6D1Ja+9K7O8NvQm8VmbsgxgsO21y6qciya4hrNyT6uf:hsSJyO8e7CPxghvZU1hrq
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
1/PO20230225-13360.exe
-
Size
1.7MB
-
MD5
1de394a0a6affdde99950a9e1ad68850
-
SHA1
4ee5da777bd322a52bc866cc825e92717e6d9719
-
SHA256
56ebfae5fdf1e38b652f712f7e4672826e7c805b70ab6f21c02418461d99fabf
-
SHA512
aa385c57afa4ec2afe778cae203a7488a271aec965aa9338639b8a5298931c6319f5eee3c3304e31bb8fea23797f61d416dd7ca74b5d67db5c2633702b74611b
-
SSDEEP
24576:a9Q+/0oYyxPxPO9fju1khU+A3zj9hQhNsc7hf:WQmQTszj9hQhNs8
Score1/10 -
-
-
Target
1/TIanagents.exe
-
Size
1.4MB
-
MD5
26dce2724601f85b133a824939870d23
-
SHA1
aed465acff008745242ae26b7a59f3d703abdf32
-
SHA256
7809551d96107aa1176aa003830a30f442c3df654a311054f6bd198873748538
-
SHA512
4758bf4b756ab72ddd3dc73c557b7dea64d43c35fb7de64c17ca221267c0ea63a272c44f51a20bf87c4a493f917c3416288cdc1ab26371ae99069c4a5e08dd86
-
SSDEEP
24576:k91X8OgVEmr20iaFCJZ/SCaaf6oV09aTWJaVsEiXb:e1rgK220H0Jtaaf60QaTsNL
Score1/10 -
-
-
Target
1/c.exe
-
Size
479KB
-
MD5
40269ec54ce4652fd82336a1e0920b8a
-
SHA1
b47ab90f264f73c5b2b44588f11d6a459764c629
-
SHA256
887a5500799685d517647285b2da937f611b364ebd0db9ea6b32010272487011
-
SHA512
a7156a2f2e2d572075c15945756f9490023a5e603297421e0c8606720848eef76cf4e6b863ee36e39b72d2c425ecf5e48a6bf37d5a87617e5ffe6303886425ea
-
SSDEEP
12288:E2KOYjMs4+GgTJKpiFtzfeiQ5Ki5oh1cJeOb:R8Qs4+GgTsEfeoh1c0U
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
1/loader.exe
-
Size
1.0MB
-
MD5
4352f5a287cfad25081cfd97efd44bfa
-
SHA1
356cea8615901d3139725bd10135abadf4d55096
-
SHA256
7d32586ca0e7a39825f51f913c9a5535aa595d4b020e2c184a7d08af0b583c67
-
SHA512
e1ce791f703d4845c1fdf4612ed05ea2f8e7a74beb0c4197b43545b8347ff6931fa82f9cc0d6ecd054845a8de473c6caedf4edfdc4ea2847f62ec39e7ce90dfc
-
SSDEEP
24576:aDBf+dAD0+x04QXl1pSmWKRlrRL5OM3ikggwlZkkBtqsUiRmc:te0tl6mWKRl1NJHgDk4trpRmc
Score1/10 -
-
-
Target
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
-
Size
1.2MB
-
MD5
ceffa8c757a03596a372f84e733edd16
-
SHA1
be9898e4cae87a46ca6a9148d36d6bdcf62bb0bc
-
SHA256
99ee17d3cb68ae7ab2641974c43bf9e78e0dc4ab2bec159fd730abe8386098fd
-
SHA512
67d56d82ddd0783288ed32c21da5c5f248f3341d6b779c31b930e2a0a54e4849e537ab24e6a00d557fabb3f38288adbfb6e7e7a37885ab21082d7c29fc71e569
-
SSDEEP
24576:9iIWFSjg4fvUNP4MNaMmMCsmsqMmMCsA7eXcJB5R1gsVtub8R7IevpU4jKXhdk:qEo3I9PRUFs
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已加水印处理勿外传-2023-10.exe
-
Size
743KB
-
MD5
26d5adf6f802d2007c08bcf9a5367df6
-
SHA1
3e52eccf2cfe755917e6a7704163a392fd39a6a1
-
SHA256
902f1ec8ba6943533254c6712d7a17e399fdfca626a967d36d88ddd29de114ba
-
SHA512
3e3dc51aa14eb01e3b55f3780948d86a6a05e42607167f7a935a613989ac6fd3a6a8f12a5464d50ef0f668617b80b5a1ff412ebca503c55782aa933fd6d3a46b
-
SSDEEP
12288:APwXkJOOYXAE/Zqf2ILw9j5tGoy8FNALGORpC:AI0JOOK3/Zq+I095cmAfC
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/【财务部】关于工资调整通知 .exe
-
Size
1.4MB
-
MD5
a6d9c8a9b440e3479dd3590d9bcde94f
-
SHA1
7a114ee63b4ce4bff0960cdd880155cb46579bde
-
SHA256
781a0adab936e9735b324e86cdfac0998c2411ee6e9830841c203510d487a850
-
SHA512
bcecb32072c263411be1e0852d92b5d9b43da11a849d980f19763a62d5e8e80e661131c99b4e607c56c7910a5a7e4de3deba31ed0044f47dac123aa9e2ff3f7f
-
SSDEEP
24576:OxY2ohZF25g1IrDSwYVYLncnEDBm8I/owIyPeNcI4rFq:OxY2225onnVLnEIp/UN
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
1/内容.exe
-
Size
167KB
-
MD5
b30d517585fefa8cd92a0af9d3193b87
-
SHA1
716cc624c33e168adfecab2a0d26f1af2526fdd2
-
SHA256
22ab670f9dcaf146d719e864fc3e01b0f5bd4d587834366c8b5dcd78f677f310
-
SHA512
fd8c0f629cdaf963d0d592edc591efdae75e922664cca552d4b1ab08d416f52aa534fbb5e4ca0f5d8a22f40d68933e92201296942e41bb57da39b778bb55e394
-
SSDEEP
3072:lQUcrL6KmL783vtpkBAoH66Gop/q/rQms3cp6L8EcSufWr7+tvZZsXILNeujvcu2:lQfSKm/6kBoRop/q/rQm6k6QEcSzr6tk
Score3/10 -
-
-
Target
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
-
Size
4.9MB
-
MD5
5ca553a43e386baaba10a91445e7d4f3
-
SHA1
dedd0790bc04077148b8c5e241bf24526d78b2a6
-
SHA256
bf0ef973124823b86fb940facb5609dff342df7b66e0bc5e8645d48c5396a6da
-
SHA512
e8527bfc324cfa9b05466d6e96481c459382c969e814747f9084a375ef57aaf8b9766a4cd3fbee4cea2a4aea891cf5c3c3baa2d8a0ba4b2ab3ee6211f60fd4b1
-
SSDEEP
98304:rxnjv9gKioB+Egpy0+0O52GVOgswHdm6YFBifmjQ3XzHb:r5vzij3/Bifm2Xz7
Score3/10 -