General
-
Target
1a6373bf3cf3d883d2f0f988a5b716894ba9a307d418b7bea8eb330629047ca4
-
Size
374KB
-
Sample
240329-kw8p3sde8s
-
MD5
1c5b795d33c65c125e527ee151cf36c0
-
SHA1
b9d4a4562f11d36a6f68cb0887b9063c0c0539d4
-
SHA256
1a6373bf3cf3d883d2f0f988a5b716894ba9a307d418b7bea8eb330629047ca4
-
SHA512
f8d2c4c484baa5aa452cd45eee6b1f2ac3202e951df41ddd05a3d1cf22ba66f2f2c62b28950ffb6b3a770b2bdf97a31086be59d34eaded221132a6b0192ab9c5
-
SSDEEP
6144:71enYORXaLzu168sTxc6JUinnjMJ1AJSmwczziqScccs+/WP/PUk/Tx/B1RdDT7:JIYORqBZTx3PnjMqSjs2qfR3cTx/XDT7
Malware Config
Extracted
cobaltstrike
100000
http://service-bux0bbzb-1312435925.bj.apigw.tencentcs.com:443/api/getit
-
access_type
512
-
beacon_type
2048
-
host
service-bux0bbzb-1312435925.bj.apigw.tencentcs.com,/api/getit
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP/90kIYu6Mm7jvmEOOCFN7wCCA036EHvc+uJNEqNgwMoCpPIfFGkdjd62ZG1a4SDzfM41Kyg8A97hjvFD4g0EzoUqt8RdYWzSBD7xA94rxMy+Z2im7FBDtvyZpxlAvjWw21ONdT3TfXrUGoSfjWKeEXlkPNeg/AoVywMzeoxVlwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/postit
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
100000
Targets
-
-
Target
1a6373bf3cf3d883d2f0f988a5b716894ba9a307d418b7bea8eb330629047ca4
-
Size
374KB
-
MD5
1c5b795d33c65c125e527ee151cf36c0
-
SHA1
b9d4a4562f11d36a6f68cb0887b9063c0c0539d4
-
SHA256
1a6373bf3cf3d883d2f0f988a5b716894ba9a307d418b7bea8eb330629047ca4
-
SHA512
f8d2c4c484baa5aa452cd45eee6b1f2ac3202e951df41ddd05a3d1cf22ba66f2f2c62b28950ffb6b3a770b2bdf97a31086be59d34eaded221132a6b0192ab9c5
-
SSDEEP
6144:71enYORXaLzu168sTxc6JUinnjMJ1AJSmwczziqScccs+/WP/PUk/Tx/B1RdDT7:JIYORqBZTx3PnjMqSjs2qfR3cTx/XDT7
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-