General
-
Target
bfb0ff3c28b6f82afabaf58837989b00
-
Size
4.7MB
-
Sample
240311-dqhs5sbc31
-
MD5
bfb0ff3c28b6f82afabaf58837989b00
-
SHA1
82fa2bbecb84cecff62c6b3600e6195803f7fb84
-
SHA256
7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
-
SHA512
eead3c3fe155c4ce626ead7466f27ede6f7f1eaee570a88189627d1e11da63f70f2cc6ea86fbfead3dc7ae3a33ff2874435f353752a592b2d7e9cb5fa83d6f59
-
SSDEEP
98304:EAI+9ejHqIAPoHZXs+PdHWwLo1JLQTNUU4+w5VF0/7AMy5VV+71knp:Dt9eLzApEvU1JUTxhIVV+pknp
Malware Config
Extracted
cobaltstrike
305419776
http://advmicrodevice.com:1080/faq
-
access_type
512
-
beacon_type
2048
-
host
advmicrodevice.com,/faq
-
http_header1
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAALAAAAAwAAAAIAAAAQbWFkZV93cml0ZV9jb25uPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAHAAAAAQAAAA0AAAADAAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
61835
-
port_number
1080
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRB7V21uKGciSh2OXnKB+/pAMi66Vr3lZFWaFPM0or5KvggvdSmZFAEQ7fRtEyEJQnmw12W7+Ikf5h6ZBGm2tY0ZTOR8ZWBbJgvXuFd31dN/CHQNeKT7hfGWeWRD/yAUFty7EsUgTf9vcx7uUNbUSN/noLl3y2w8huMtBv+zrxcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/nl
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
-
watermark
305419776
Targets
-
-
Target
bfb0ff3c28b6f82afabaf58837989b00
-
Size
4.7MB
-
MD5
bfb0ff3c28b6f82afabaf58837989b00
-
SHA1
82fa2bbecb84cecff62c6b3600e6195803f7fb84
-
SHA256
7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
-
SHA512
eead3c3fe155c4ce626ead7466f27ede6f7f1eaee570a88189627d1e11da63f70f2cc6ea86fbfead3dc7ae3a33ff2874435f353752a592b2d7e9cb5fa83d6f59
-
SSDEEP
98304:EAI+9ejHqIAPoHZXs+PdHWwLo1JLQTNUU4+w5VF0/7AMy5VV+71knp:Dt9eLzApEvU1JUTxhIVV+pknp
Score10/10-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-