General
-
Target
vshost.exe
-
Size
11.4MB
-
Sample
240227-qlwknahg72
-
MD5
c91c9b712167eb44f41373b36a05a044
-
SHA1
4526ecddd389b61c50a23b67658a92dee61e0660
-
SHA256
3c4957109419660e8740b767f7f894105ee953d4a7a12e438a604da6242b0b41
-
SHA512
c04c6c55af35b98c4690f013dc9bce6cf2845d08ec092c46ee835120d4b5e0de5d580c8cebb0b4cf6b00c9ddccd385f965347dc6db95845c6cd72351f622e771
-
SSDEEP
196608:Jua9H1n4YZUIeeMVJsv6tWKFdu9CY+7f:xyzVJsv6tWKFdu9Cx
Static task
static1
Behavioral task
behavioral1
Sample
vshost.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
vshost.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
metasploit
windows/download_exec
http://149.28.23.91:1980/aksdbhakjhsgda
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
Extracted
cobaltstrike
100000
http://149.28.23.91:1980/load
-
access_type
512
-
host
149.28.23.91,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
3000
-
port_number
1980
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGZN0wJI1h33muLvGSEEeng2vcvA4BsuB7RCtIMOOAvj7VQWiAo78ME8P/uioq+iUHsJ/gwNMrCbHU1UFr56CVVy5zO+apzUirwRasDnDLQew77uOPjcVRrEizR+cx/LsgAMng3mrI1PgRQ6vD9IPnhJ9kS0wFwAuYOE0CjyT9MQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)
-
watermark
100000
Targets
-
-
Target
vshost.exe
-
Size
11.4MB
-
MD5
c91c9b712167eb44f41373b36a05a044
-
SHA1
4526ecddd389b61c50a23b67658a92dee61e0660
-
SHA256
3c4957109419660e8740b767f7f894105ee953d4a7a12e438a604da6242b0b41
-
SHA512
c04c6c55af35b98c4690f013dc9bce6cf2845d08ec092c46ee835120d4b5e0de5d580c8cebb0b4cf6b00c9ddccd385f965347dc6db95845c6cd72351f622e771
-
SSDEEP
196608:Jua9H1n4YZUIeeMVJsv6tWKFdu9CY+7f:xyzVJsv6tWKFdu9Cx
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-