General

  • Target

    a3e50d5b3cc5e74e83b2191ecb494837

  • Size

    281KB

  • Sample

    240225-qm6r1sce44

  • MD5

    a3e50d5b3cc5e74e83b2191ecb494837

  • SHA1

    3446305c2b43e52f530b9d57d6b4d69b22cf5d3c

  • SHA256

    bef88c89a30c33158276e730d59a769c6ec9ad45986787e09ca1529ef9971b31

  • SHA512

    ee914a5b45d70c9c76a30bb55439f50cbd61424f13222ac228b108d47137b51e00e471b470597a4cac9c2545c6b6d1fd6a025f88e8a62bb2a44bfeee2d9b82be

  • SSDEEP

    6144:GCxy5gFbvnLZXzKDLIQH3SYjILUGeQ/6n:aupLZXmnFH3ZjBGep

Malware Config

Extracted

Family

cobaltstrike

Botnet

1847300910

C2

http://auth.tech2wired.com:443/t/assets/refresh.png

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    auth.tech2wired.com,/t/assets/refresh.png

  • http_header1

    AAAACgAAABFBY2NlcHQ6IHRleHQvaHRtbAAAAAoAAAAcQWNjZXB0LUxhbmd1YWdlOiBlbi1VUztxPTAuNwAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAABZDb25uZWN0aW9uOiBLZWVwLUFsaXZlAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAAAwAAAAIAAAARZmNfdG9rZW49MTsgc2Vzcz0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAABwAAAAEAAAANAAAAAgAAADN7c3RhZ2U6InRlc28wMSIsIGlkOiIwMTgyODE3MjA0OSIsIHVwZGF0ZV9jb250ZW50OiIAAAABAAAAFSIsIGRlYnVnX291dDoiZmFsc2UifQAAAAQAAAAHAAAAAAAAAA0AAAACAAAACF9fcGFpdHo9AAAAAgAAABZkR1Z6ZEdsdVp5QmxiblpwY205dWI7AAAAAQAAAAc7Z3RraWQ9AAAAAQAAAAExAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    12800

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ4gyp3hx42GpS9MOp2aCfuKLMwKMrUe5io3QmC35zP7+t8Q43RDbFHddzSqnQenJWaGsKfthuHc6PJT0Q1zGx8wz1Qmf2ZmUsdynFivvgOT7NdNSl+EIjIQNekYegeiIJ/0aFvjXZxqyzzj/0E9MwuFGK+2U9XKeTDHrzULKVSQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.476399104e+09

  • unknown2

    AAAABAAAAAEAAAAoAAAAAgAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/v3/categories/update

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

  • watermark

    1847300910

Targets

    • Target

      a3e50d5b3cc5e74e83b2191ecb494837

    • Size

      281KB

    • MD5

      a3e50d5b3cc5e74e83b2191ecb494837

    • SHA1

      3446305c2b43e52f530b9d57d6b4d69b22cf5d3c

    • SHA256

      bef88c89a30c33158276e730d59a769c6ec9ad45986787e09ca1529ef9971b31

    • SHA512

      ee914a5b45d70c9c76a30bb55439f50cbd61424f13222ac228b108d47137b51e00e471b470597a4cac9c2545c6b6d1fd6a025f88e8a62bb2a44bfeee2d9b82be

    • SSDEEP

      6144:GCxy5gFbvnLZXzKDLIQH3SYjILUGeQ/6n:aupLZXmnFH3ZjBGep

MITRE ATT&CK Matrix

Tasks