General
-
Target
915c92ad28da3ac39fa4a01af7678bb38c95893c8c95bf952f9da1c8e7e0bbf2
-
Size
5.6MB
-
Sample
231222-ecq32abfdm
-
MD5
0c04b0dc682f15ca4381b8a3fb769a09
-
SHA1
6021653d7ea85209251beb5f7774fd1fc0d1e148
-
SHA256
915c92ad28da3ac39fa4a01af7678bb38c95893c8c95bf952f9da1c8e7e0bbf2
-
SHA512
718417fcf678ce9571cdccf293e2c1a3beca8220aac366d75d9c507d8a81b3bf7424bfb82237fc3186e6b47e2dcc898b16a8a65ab386ebd9e0d4974c3c4bf023
-
SSDEEP
98304:/UqqSbRfK+pgRp1olWrCNT7xSZMWKvFRZ40z/zQs2JyMLWJ2greygRzL6:/bnb5Ns42CN/xkfKRyW7QLW98p6
Malware Config
Extracted
cobaltstrike
391144938
http://service-azqy7lup-1303896379.sh.tencentapigw.com:443/api/x
-
access_type
512
-
beacon_type
2048
-
host
service-azqy7lup-1303896379.sh.tencentapigw.com,/api/x
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCc2heXUBrRHG7d32CNZ4unoIajbLUVu1bZqvywGWGDilmp7GWLaHToZCmP+DXpmEjdtXWjgvldKfqhp2CWBfHeQEqtpc/aMtPBTFWQVviD2W5Gv1s4UuXoTiaHrFG5zdt16LRLkHbANUznMedqelWO5BTxuUPCpokB7rX+tuRc8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/y
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
-
watermark
391144938
Targets
-
-
Target
915c92ad28da3ac39fa4a01af7678bb38c95893c8c95bf952f9da1c8e7e0bbf2
-
Size
5.6MB
-
MD5
0c04b0dc682f15ca4381b8a3fb769a09
-
SHA1
6021653d7ea85209251beb5f7774fd1fc0d1e148
-
SHA256
915c92ad28da3ac39fa4a01af7678bb38c95893c8c95bf952f9da1c8e7e0bbf2
-
SHA512
718417fcf678ce9571cdccf293e2c1a3beca8220aac366d75d9c507d8a81b3bf7424bfb82237fc3186e6b47e2dcc898b16a8a65ab386ebd9e0d4974c3c4bf023
-
SSDEEP
98304:/UqqSbRfK+pgRp1olWrCNT7xSZMWKvFRZ40z/zQs2JyMLWJ2greygRzL6:/bnb5Ns42CN/xkfKRyW7QLW98p6
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-