General
-
Target
ed649e6bd2bbf3a6e0788a459505a2231c92c736f1941c3b3f7c72f7b0ed5cb6
-
Size
467KB
-
Sample
240309-m2fmlaga3z
-
MD5
0ee07e2b56702ded814ae6ebb1d71bdb
-
SHA1
c6e981a5cc70a4c7b9e95e7012a548295af7b8c8
-
SHA256
ed649e6bd2bbf3a6e0788a459505a2231c92c736f1941c3b3f7c72f7b0ed5cb6
-
SHA512
7885eab3128e526373f71398371221ea89362d1f12153e3d9fe7572c7cfd0248c8ca7db4fa611e05e21713cf7c1fa99d94f23565c018de90024d4af550ab907c
-
SSDEEP
6144:bXGow0x5mx+cIAm8z+0SyHuua0smOzOTO1dLG8t5qH+Ezc9kxS:bXbWx+7GzxSyHRTO1dLwg9
Malware Config
Extracted
cobaltstrike
1
http://service-84pns6bl-1313036808.sh.apigw.tencentcs.com:443/passApi/html/_blank.html
-
access_type
512
-
beacon_type
2048
-
host
service-84pns6bl-1313036808.sh.apigw.tencentcs.com,/passApi/html/_blank.html
-
http_header1
AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IHRleHQvcGxhaW47Y2hhcnNldD1VVEYtOAAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAKAAAAGENhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MAAAAAoAAAAfUmVmZXJlcjogaHR0cHM6Ly93d3cuYmFpZHUuY29tLwAAAAoAAAAcVXBncmFkZS1JbnNlY3VyZS1SZXF1ZXN0czogMQAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAADmFwX2lkPWZrc2RVZEdXAAAACQAAABluZXdidXllcm5hbWU9bWJkWlNnSnZFR3BpAAAACQAAABZmaWVsZG5hbWU9RnNMS25hQ3VCdmVvAAAABwAAAAEAAAANAAAAAgAAAClhaWRfPTAwMDAwMDAwJmFjY3Zlcj0xJnNob3d0eXBlPWVtYmVkJnVhPQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
4864
-
polling_time
23000
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC33yCNC2uDl2oF/7G/OAJ3tI+AtnoTswUevzbMAEN+J6KjwVNFPIvYf1/3a48X+yjayvtvV+7ZZmS+MsvGjaO6J4Mnecd9f5iKf+AZUM99ffVg4ropmfD/IX74fWTRnFx/30uQP80xx0vaHImFO7UWyPvre0kVziipP1xJWMIUBwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAEAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/v2/api/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
-
watermark
1
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
ed649e6bd2bbf3a6e0788a459505a2231c92c736f1941c3b3f7c72f7b0ed5cb6
-
Size
467KB
-
MD5
0ee07e2b56702ded814ae6ebb1d71bdb
-
SHA1
c6e981a5cc70a4c7b9e95e7012a548295af7b8c8
-
SHA256
ed649e6bd2bbf3a6e0788a459505a2231c92c736f1941c3b3f7c72f7b0ed5cb6
-
SHA512
7885eab3128e526373f71398371221ea89362d1f12153e3d9fe7572c7cfd0248c8ca7db4fa611e05e21713cf7c1fa99d94f23565c018de90024d4af550ab907c
-
SSDEEP
6144:bXGow0x5mx+cIAm8z+0SyHuua0smOzOTO1dLG8t5qH+Ezc9kxS:bXbWx+7GzxSyHRTO1dLwg9
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-