General

  • Target

    24e397175ec598fd81575782c867843c0d21deace885f40ba244892382020dd6

  • Size

    1.8MB

  • Sample

    240307-e6s5gsec57

  • MD5

    c9d94ca8429b2bb3424daa156bcc6395

  • SHA1

    ddd762c19ef7d0a2da92303ac0e7b81d9921c8df

  • SHA256

    24e397175ec598fd81575782c867843c0d21deace885f40ba244892382020dd6

  • SHA512

    b176ae40b1e7964cbe43df6fcb55c931f4c8d812c0897fa7c3f81a02c2c6c0fd963a31454e4ae39d351c4c8006c4449f4a41bb46ff963242a45f31281e02854d

  • SSDEEP

    24576:ywLWT6X2wZR4p3P6tk2pTQnB4MHOteaMlstoy+NZ7frf8CsLo/nSaKl+y/:yLTRwu316ABjHOsSC8DSnSaKl+y/

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://121.36.52.164:6767/cx

Attributes
  • access_type

    512

  • host

    121.36.52.164,/cx

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    6767

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFhlZtWYjWh9RR4WlkSmU5oyoVIBTJDBFrT4VGcf5mwrxzEFJkMYD3cSCmIaESW8cRgqQZzabW3ZM3iL6yi9AANQgWwaQWIxJNs6XOZ82phvr9xjxLwhITosvjAAv3H+zmOvYdOpmG27o1tuPOLGM1BROnJkq77U9msSvjDeJNmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MANM; MANM)

  • watermark

    987654321

Targets

    • Target

      24e397175ec598fd81575782c867843c0d21deace885f40ba244892382020dd6

    • Size

      1.8MB

    • MD5

      c9d94ca8429b2bb3424daa156bcc6395

    • SHA1

      ddd762c19ef7d0a2da92303ac0e7b81d9921c8df

    • SHA256

      24e397175ec598fd81575782c867843c0d21deace885f40ba244892382020dd6

    • SHA512

      b176ae40b1e7964cbe43df6fcb55c931f4c8d812c0897fa7c3f81a02c2c6c0fd963a31454e4ae39d351c4c8006c4449f4a41bb46ff963242a45f31281e02854d

    • SSDEEP

      24576:ywLWT6X2wZR4p3P6tk2pTQnB4MHOteaMlstoy+NZ7frf8CsLo/nSaKl+y/:yLTRwu316ABjHOsSC8DSnSaKl+y/

MITRE ATT&CK Matrix

Tasks