General
-
Target
85ab4629aaab569abeb6aa8b097e91a3764712b99460cab1d2e3d380428c7bb7
-
Size
496KB
-
Sample
231226-gdw2sadab9
-
MD5
49bc9eeccd761662e2c926fb902eb846
-
SHA1
a42b29540607f52febe0f638f1a571c60dedf657
-
SHA256
85ab4629aaab569abeb6aa8b097e91a3764712b99460cab1d2e3d380428c7bb7
-
SHA512
ce2d40724eccd0d5e4e19982074b5a3287fc719ddac5bde08be58d37a3a767b4f9402f143b035faa1053b143b2520055a3d5407194428fe06feeb8927d874f91
-
SSDEEP
12288:GRC5fZPirCcdy3N8YS2bXXDp4Ve+18ErR89PcjKrvv23Hvwq:GRkZPi5rGnGVgEFKM8v23HYq
Static task
static1
Behavioral task
behavioral1
Sample
etc/libepsbase.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
etc/libepsbase.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
etc/wpsserver.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
etc/wpsserver.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
点击运行.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
点击运行.lnk
Resource
win10v2004-20231215-en
Malware Config
Extracted
cobaltstrike
100000
http://222.186.131.95:39443/api/auth/v1/log
-
access_type
512
-
beacon_type
2048
-
host
222.186.131.95,/api/auth/v1/log
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
18016
-
port_number
39443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk8TDQPDxrtDGQd+EZF7en9yNcmEcpX9f9OG5xoAdUEd50W7ip+X1tDdewzxxRp3HdfrK0OxB9cI7NBCKXHDdV+bT6cvTx7EJ0LylxrbclEAMSV6IiSGP9x8bq5ydLNO+IuyT/APMdnUhZYRB9OQ7iwt09O+atIh1E+R/cPkSwTwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/baidu/auth
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
-
watermark
100000
Targets
-
-
Target
etc/libepsbase.dll
-
Size
896KB
-
MD5
c51743451f08a38b58d0e887432cf6d5
-
SHA1
36f5e1d5bd2ccf472293aa30bf48d579d58874c2
-
SHA256
fb87c0c70e1bd14856c9a86fba84d7fb189847e3d8ed1decf890334f5890c642
-
SHA512
88984f3b071844b8313f6da7f7d1f55dcc31be6f708517ceaa8d702e72e5fa07db7eabe0cfeeaef18c1f8899663fc386ed6c44dd6c6c2282955db2c338a9c51a
-
SSDEEP
24576:NMDig+apK/pYAHaOM06oNbIcKqXAzq4Yz4r3T91E5HcWg9VXZCea4cHGi8JgjW1T:qDig+FO+Cm
Score1/10 -
-
-
Target
etc/wpsserver.exe
-
Size
123KB
-
MD5
fc0a93686ae6248347f1cd62a12a8d19
-
SHA1
228ddd918d0456e96785a93c9bb02d0fd9d66b6b
-
SHA256
a08e0068d9244c9ef48b74c685b984bf01d889d9b2b18fa74e6dd6344a0a9f22
-
SHA512
b9cdf8e66c958aea76a3111754c1db4661ed8762be6ee350e4b3d4dbb73bc12ccff2b096cdafb858ec6d30ed89d1b431554cae7b1c22349f19af43fd7c3d029e
-
SSDEEP
3072:2k0S7BfBeU1TM1fHiyqCyrLZt4meRqvZ7gimRYJyDvu:2g7BfBe4G/iyPyHZt4TRYA
Score10/10 -
-
-
Target
点击运行.lnk
-
Size
878B
-
MD5
c9f75aaeebc02aa5c121b47bc32e93dd
-
SHA1
f5bf81c81fa853a49cee6eb1fed56e2b4afe31e0
-
SHA256
35c8ea732d7c05699f8a7f34d7bb296b597dffd9fcc436fb69bdd022896584c8
-
SHA512
e0feb68584a020b073e300333ea1faa01167db6375ab1b454905f9a0c9516db25467b980a90c479fd913a5a9e908baaef342f8fb442e5085df482ce08b77ad55
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-