General
-
Target
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92
-
Size
14KB
-
Sample
240131-xb94maadc7
-
MD5
94281310f9ddddf58ded344430e956c0
-
SHA1
beee8fe74b01cadbda59f29f6a0883bc916c3343
-
SHA256
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92
-
SHA512
a1b4a2b3575887679e287e5d285cbe8298305a7d798ec8727ff77c7e41829e0d336a34a90a8f5646da06fbdb1b31f369054a1032daa60b54d752ce648cf13fd3
-
SSDEEP
192:a3mbPYCfMcrfOIuZmvKQxtzlSIVX6NOLMwaEejDMN1:RMCfrfQ6tBSIlaEeUN1
Static task
static1
Behavioral task
behavioral1
Sample
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
metasploit
windows/download_exec
http://138.124.180.186:443/terminate/reklama/itldc
Extracted
cobaltstrike
391144938
http://138.124.180.186:443/Interpret/v4.83/Sharepoint.aspx
-
access_type
512
-
beacon_type
2048
-
host
138.124.180.186,/Interpret/v4.83/Sharepoint.aspx
-
http_header1
AAAACgAAACxBY2NlcHQ6IHRleHQvaHRtbCwgYXBwbGljYXRpb24vanNvbiwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBwbAAAAAoAAAAcQWNjZXB0LUVuY29kaW5nOiAqLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAA0AAAACAAAAJjdMWDFfUDVNUldHOFJDUUwwOUc0VFFaMTlDR1NBMUc5OUU3T0U9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACxBY2NlcHQ6IGltYWdlLyosIGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbAAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBldAAAAAoAAAAdQWNjZXB0LUVuY29kaW5nOiBiciwgaWRlbnRpdHkAAAAHAAAAAAAAAA8AAAALAAAABQAAAAlfU1NLWU9ZUE4AAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
11776
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\wbem\wmiprvse.exe -Embedding
-
sc_process64
%windir%\sysnative\wbem\wmiprvse.exe -Embedding
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0S9jbqPi6YWhwyRjnFWTi/Bo+hYXso/0L7WIcoM2EhfKMJB4ofpdCZBbq4c5JQaRcWRlTnaxWtJ6FPi9BrONqXpmWzWERwPrSDz4oIz3G/ns2HoVfiz3+888PzcdkNJ+Q58AlCxQXaq/Q6McFV4hY+XqinwoYLsREeqqCZZyufQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.83336192e+08
-
unknown2
AAAABAAAAAEAAAscAAAAAgAAEPIAAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/record/v1.51/Googleupdate
-
user_agent
Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
-
watermark
391144938
Targets
-
-
Target
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92
-
Size
14KB
-
MD5
94281310f9ddddf58ded344430e956c0
-
SHA1
beee8fe74b01cadbda59f29f6a0883bc916c3343
-
SHA256
9812c1dc15b2902dbfa4eea8ba89482708840172e176f6047d4e6ec6c31e8b92
-
SHA512
a1b4a2b3575887679e287e5d285cbe8298305a7d798ec8727ff77c7e41829e0d336a34a90a8f5646da06fbdb1b31f369054a1032daa60b54d752ce648cf13fd3
-
SSDEEP
192:a3mbPYCfMcrfOIuZmvKQxtzlSIVX6NOLMwaEejDMN1:RMCfrfQ6tBSIlaEeUN1
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-