General

  • Target

    b3b77f3cea0160f59bea3f6ab2e767fc

  • Size

    221KB

  • Sample

    240305-egntgaee89

  • MD5

    b3b77f3cea0160f59bea3f6ab2e767fc

  • SHA1

    1b21ab867f0bd001fc220a4b254fa42810668568

  • SHA256

    11aa5220689c193f7c78f935861f3ce55b842f4bd3c85344a76ceecfbe6a9ede

  • SHA512

    2dd37b2d22c211646e55cf445b082a8139623d342e23354685abe23dc33dba0819a005f05aea9e50ac77492d3b916ad81e2c774fb5825288cdbbde5468db7db9

  • SSDEEP

    6144:QmwgmHv+U6cJ3ytIhx4CZ2tigmMLw30yTjl:K22iMxvZ2tivMLyFl

Malware Config

Extracted

Family

cobaltstrike

Botnet

1394017385

C2

http://164.90.137.196:8080/about

Attributes
  • access_type

    512

  • host

    164.90.137.196,/about

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFkaWVudC5jb20AAAAHAAAAAAAAAAMAAAACAAAABF9nYT0AAAABAAAALk9wdGFub25BbGVydEJveENsb3NlZD0yMDIxLTA4LTEwVDE0OjA4OjExLjk0MFoAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hZGllbnQuY29tAAAACQAAAB1fZ2E9R0ExLjIuOTE0MDExNDUuMTYyODYwNDQ4OQAAAAkAAAArQVNQLk5FVF9TZXNzaW9uSWQ9cW41emswd2EzYWt5b2FvMGsxcWdkbXJqOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz04NTI4AAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    8960

  • polling_time

    27400

  • port_number

    8080

  • sc_process32

    %windir%\syswow64\svchost.exe -k netsvcs

  • sc_process64

    %windir%\sysnative\svchost.exe -k netsvcs

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSYDMbXDQmtppL8XJ6dpUPYzn8d62LrqNgrmn4Qn6hpf05jhx0K1ecVb5lgAYMqKwwGfsy8QClphqyN7XVAwfAN96cZwRTOlIcH1b9qsvifhcRu0C02a6NwTMvt0Fdl9Arx1+wbQXAVG81bj9gZRnMrOrSKdEePqlC7RfVZypxaQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /careers

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

  • watermark

    1394017385

Targets

    • Target

      b3b77f3cea0160f59bea3f6ab2e767fc

    • Size

      221KB

    • MD5

      b3b77f3cea0160f59bea3f6ab2e767fc

    • SHA1

      1b21ab867f0bd001fc220a4b254fa42810668568

    • SHA256

      11aa5220689c193f7c78f935861f3ce55b842f4bd3c85344a76ceecfbe6a9ede

    • SHA512

      2dd37b2d22c211646e55cf445b082a8139623d342e23354685abe23dc33dba0819a005f05aea9e50ac77492d3b916ad81e2c774fb5825288cdbbde5468db7db9

    • SSDEEP

      6144:QmwgmHv+U6cJ3ytIhx4CZ2tigmMLw30yTjl:K22iMxvZ2tivMLyFl

MITRE ATT&CK Matrix

Tasks