General
-
Target
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
-
Size
1.2MB
-
Sample
240305-byr1nsbc76
-
MD5
a6dab257336a869364d80c621fc6c9d2
-
SHA1
8229bc04f7057cd031d7ea8b307feb1b406a6bf2
-
SHA256
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
-
SHA512
98c3f8dfe6e25ba03779528676e0b5232f6b8081a69c5e4358e07bd46ab48aad18c430ae407aaea8ce69e760265976189cc2d94bc6ef349a4b8ab22838954f28
-
SSDEEP
24576:NGHCm8uPdJfEdancxoWGVNueMahu+LPO1u2KM1:UuWYaNNueMZ+Lm1u1M1
Static task
static1
Behavioral task
behavioral1
Sample
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
cobaltstrike
305419896
http://162.209.159.49:80/jquery-3.3.1.min.js
-
access_type
512
-
dns_idle
1.908702538e+09
-
host
162.209.159.49,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
maxdns
255
-
polling_time
1000
-
port_number
80
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX/ASOjYPmnXg9vzuZw67JziFYz5GpIC8PBnfWPrKrQ4z7bqyIwPb8M4r14BFZEEJGFyg1LyNmR02vE/H3O0GedE50hLU+kKqAS6lPQtkf5grX/fhImjKZAO5rhJaQDIOMgT1I7BOtit1kjEsJBYqWiISLJHXdZmVEEzRA8AFG6QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
305419896
Targets
-
-
Target
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
-
Size
1.2MB
-
MD5
a6dab257336a869364d80c621fc6c9d2
-
SHA1
8229bc04f7057cd031d7ea8b307feb1b406a6bf2
-
SHA256
49f7bff3e4286868bf362ae73614e311c9b3b2a4436dc0d41a714a1ada577458
-
SHA512
98c3f8dfe6e25ba03779528676e0b5232f6b8081a69c5e4358e07bd46ab48aad18c430ae407aaea8ce69e760265976189cc2d94bc6ef349a4b8ab22838954f28
-
SSDEEP
24576:NGHCm8uPdJfEdancxoWGVNueMahu+LPO1u2KM1:UuWYaNNueMZ+Lm1u1M1
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-