General
-
Target
ce85ce1f0de02fccdbc5e955c23f20d48a4b672f6d70758224c23bd2887498e9
-
Size
2.4MB
-
Sample
240312-l2m61aeb9v
-
MD5
6b6bfd594cc7b2554bfde0aaba2e51ba
-
SHA1
59a12a6157dab83dca5150cb7bf78ef21d7cae80
-
SHA256
ce85ce1f0de02fccdbc5e955c23f20d48a4b672f6d70758224c23bd2887498e9
-
SHA512
8dce04e0f8743033dbf19557dc721c116038b1f613605549ccfb941fd659c2a1b08c60a9a7dca822f170e965b49473d0de8d228482f20a867735173572673c08
-
SSDEEP
24576:6dqT0t1mDPQ1X/Ag+j56FvBjmrWzrJBCaGmIoYhHWdG/teWhhPG5z1HJJ4EJ2XUs:2h1mDPQ2zjAearfUq+Hp9h2HYU1
Malware Config
Extracted
cobaltstrike
http://n.sonyapi.win:80/65G6LY75
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: n.sonyapi.win
Extracted
cobaltstrike
100000000
http://172.67.160.107:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
host
172.67.160.107,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAATSG9zdDogbi5zb255YXBpLndpbgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAACAAAADHNraW49bm9za2luOwAAAAEAAAAsY3NtLWhpdD1zLTI0S1UxMUJCODJSWlNZR0ozQkRLfDE0MTk4OTkwMTI5OTYAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAE0hvc3Q6IG4uc29ueWFwaS53aW4AAAAJAAAACnN6PTE2MHg2MDAAAAAJAAAAEW9lPW9lPUlTTy04ODU5LTE7AAAABwAAAAAAAAAFAAAAAnNuAAAACQAAAAZzPTM3MTcAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12800
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyieCX9WYJ/BNssDXxndrgOfkP2uxl1c4xq04tJuIYvl+6UV8wtD83RoBcBTbY01t66U6hcXULNUNduEj15Uw3yzfE5VFwPrTESzUiYE3PHVRw8jOZ41Q7cIoWpYlS4hDw66oC9RVkVG2Xdq6GILf/B5pfjvGVP/ZkKKAbnGLmdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/MS.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000000
Targets
-
-
Target
ce85ce1f0de02fccdbc5e955c23f20d48a4b672f6d70758224c23bd2887498e9
-
Size
2.4MB
-
MD5
6b6bfd594cc7b2554bfde0aaba2e51ba
-
SHA1
59a12a6157dab83dca5150cb7bf78ef21d7cae80
-
SHA256
ce85ce1f0de02fccdbc5e955c23f20d48a4b672f6d70758224c23bd2887498e9
-
SHA512
8dce04e0f8743033dbf19557dc721c116038b1f613605549ccfb941fd659c2a1b08c60a9a7dca822f170e965b49473d0de8d228482f20a867735173572673c08
-
SSDEEP
24576:6dqT0t1mDPQ1X/Ag+j56FvBjmrWzrJBCaGmIoYhHWdG/teWhhPG5z1HJJ4EJ2XUs:2h1mDPQ2zjAearfUq+Hp9h2HYU1
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-