General
-
Target
b40f63c3d9540eeeb60d2906d89c4e67bb47e395fe5c1130de37790852a9e5c1
-
Size
4.5MB
-
Sample
240402-lz6wbsea67
-
MD5
c712298e96ed2c09bb71b19ec3635c83
-
SHA1
6548104bde330c2d84bd2bc480525161624c8480
-
SHA256
b40f63c3d9540eeeb60d2906d89c4e67bb47e395fe5c1130de37790852a9e5c1
-
SHA512
41d31c64e69018a777f21252a3667b6e383c5fe4a2722e0563f6588fac2b2099fd46cb6adcb4ffd110513343cc2a61355549f9b06becf16856d4a720f573b27c
-
SSDEEP
24576:kB4kdxwvqt9y9t26Lk6/C+ERuKrnntBU53setyRjbHxI8W41ew9z3IsmiofxIDfU:HqGvqt9ktOEi5+Cw
Malware Config
Extracted
cobaltstrike
391144938
http://192.168.2.108:443/load
-
access_type
512
-
beacon_type
2048
-
host
192.168.2.108,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCviX8Tul+1D8NGaL4kc+7/LZfj60KBG/Bpfl5tfRHMEIDfdt7Us100kF04hQx22jU5Z7vjOYC61tb6Q5h+ZD5WLcR7yMnFMuWXo186sBwpiV/tzT+kvxQ2lP47IOCflc0nId43vi/gflSDv6jxZqKpnk+gKQAntdALhJTAyNW1qQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)
-
watermark
391144938
Targets
-
-
Target
b40f63c3d9540eeeb60d2906d89c4e67bb47e395fe5c1130de37790852a9e5c1
-
Size
4.5MB
-
MD5
c712298e96ed2c09bb71b19ec3635c83
-
SHA1
6548104bde330c2d84bd2bc480525161624c8480
-
SHA256
b40f63c3d9540eeeb60d2906d89c4e67bb47e395fe5c1130de37790852a9e5c1
-
SHA512
41d31c64e69018a777f21252a3667b6e383c5fe4a2722e0563f6588fac2b2099fd46cb6adcb4ffd110513343cc2a61355549f9b06becf16856d4a720f573b27c
-
SSDEEP
24576:kB4kdxwvqt9y9t26Lk6/C+ERuKrnntBU53setyRjbHxI8W41ew9z3IsmiofxIDfU:HqGvqt9ktOEi5+Cw
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-