General

  • Target

    499a1eb898d2b3a4ecafe1ecdb76db643a5b203908f66729518473e493d38190

  • Size

    6.0MB

  • Sample

    240408-pbjbxaca9w

  • MD5

    e21ddfcf02fb46e8a546586bc1bdbc31

  • SHA1

    fb9686fbc6b6fbe8df18cfaf6d0f428df825422b

  • SHA256

    499a1eb898d2b3a4ecafe1ecdb76db643a5b203908f66729518473e493d38190

  • SHA512

    059a70f0d2abb2bec8feabcfda92fe86ab35a306ba40a66603ff227f4578d141bf574eac628ae917e025b47189555b4e6bfe1551b7d158192cc6221ec1e31555

  • SSDEEP

    98304:BRR0GVaJKa8hgxARuxb92N0ps3e1ahT4gqScNNDE+l30j:BwHJwjRYb9E0Me1aJRqXNNl0j

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://8.130.52.13:12233/en_US/all.js

Attributes
  • access_type

    512

  • host

    8.130.52.13,/en_US/all.js

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    12233

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrrnDSK8mY2VTo52+fzawtJ4/efTryDSm17+YlyOZSbZwdJwQuB1Hqf7HkiLB7NPAEKCH7bY9l06KbGhb+k+wR+60F9hVi1BIHoyjir6T3gMUCsx7/ZnznDGcywlmrvCJk5iQqVcFAuF7QtrvzbbFnUzg/WgBQ3GgB8l982WJNOwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; LBBROWSER)

  • watermark

    391144938

Targets

    • Target

      499a1eb898d2b3a4ecafe1ecdb76db643a5b203908f66729518473e493d38190

    • Size

      6.0MB

    • MD5

      e21ddfcf02fb46e8a546586bc1bdbc31

    • SHA1

      fb9686fbc6b6fbe8df18cfaf6d0f428df825422b

    • SHA256

      499a1eb898d2b3a4ecafe1ecdb76db643a5b203908f66729518473e493d38190

    • SHA512

      059a70f0d2abb2bec8feabcfda92fe86ab35a306ba40a66603ff227f4578d141bf574eac628ae917e025b47189555b4e6bfe1551b7d158192cc6221ec1e31555

    • SSDEEP

      98304:BRR0GVaJKa8hgxARuxb92N0ps3e1ahT4gqScNNDE+l30j:BwHJwjRYb9E0Me1aJRqXNNl0j

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks