Overview
overview
10Static
static
3xshell软...cx.lnk
windows7-x64
3xshell软...cx.lnk
windows10-2004-x64
10xshell软...cs.vbs
windows7-x64
10xshell软...cs.vbs
windows10-2004-x64
10xshell软...mc.dll
windows7-x64
10xshell软...mc.dll
windows10-2004-x64
10xshell软....xlsx
windows7-x64
1xshell软....xlsx
windows10-2004-x64
1General
-
Target
8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b
-
Size
1.4MB
-
Sample
240408-rfhmaaec5z
-
MD5
4bdc46c58367ed5abb02d667be3fc88f
-
SHA1
3a3a901f711f6b00ea1ef6a43691c96045571a8b
-
SHA256
8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b
-
SHA512
4a289038be4879a7514dc4cdceb4f379c62d1afbc19a121038cbd168d69d5612243c709b15459573044a2790406f12c945a63d721fccdf5e3c04aa22093b832f
-
SSDEEP
24576:RvcNkfnDVfcgBDYGNIImc9+ZTwpnBDxzxSTpPCCbyvOX8b6Kei2cV8:VekfnD5cgBE6WOBDxzxmMCbeb6jiPu
Static task
static1
Behavioral task
behavioral1
Sample
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
Resource
win10v2004-20240226-en
Malware Config
Extracted
cobaltstrike
100000
http://consumer-img.huawei.com:80/lib/v2/wcp-consent.js
-
access_type
512
-
host
consumer-img.huawei.com,/lib/v2/wcp-consent.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJKQv1XF4Cmh2xywEarCa/bP0HPP+UFEQJHMOo5NsyVYvAVfHd59D4LmvVhtB6dvdqdkLUunc6NQljbO4D42xMOrFI41rqlbFibjEJQYX58RbZvjS1bhHVKa9XdQIQRpuk3eWO4Pk+iGyM1gHKjyZT+PV5lhUp1aBwAUirc7UnEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/lib/v2/recaptcha__en.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
-
Size
1KB
-
MD5
dcf3d59f84590bf4195d3e42d1f229be
-
SHA1
f219a6fbb04f2513e109e22269f839121c072fc7
-
SHA256
82bf7ba9e947c1dc93032278c52f32b20a026cd05f3195ef08cf9a31be75a5b2
-
SHA512
724d3225699af65b645b2c0ed7e8116f5a392c77018acbe2da0901cc76b4341546bf8f629325916fa6980e8054775c7160c6abce58c6c9637e927a2ece769a5c
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
-
Size
291B
-
MD5
4b0fa4b7a9b2eff999b0cce9e5ac7925
-
SHA1
6e0c89d5c77126de53f6fcbee0596c1b5ef9c2a6
-
SHA256
3327ee66d0892199aa9eb7917c961b3266a5f90695baa6728c50b0c2ff8a9099
-
SHA512
79aca7bf5f180242fd21ad3c9e339b19183c66d1d0343c62c49eba33c246f2e142171e1096b786ba833ae24d98fe57c8b7d960b469a28d9ccc1484e49c1af2f6
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
-
Size
4.8MB
-
MD5
4e09296529ec9d8fb62fa94049549505
-
SHA1
83cf897a176049d629f634aa710962caaa5b509a
-
SHA256
e20e39a29c9103203e3414ecd3cee0978e3c25b14bfad7803a39f6052ad00d53
-
SHA512
e29fc7dc1d602598c0f5b161fb46bc3e943657aca18173b09b2266bbc031113c5edeebb68126be502fc3d7ec3a98ffd5bf0c0a373a3a8634db0c1b5485329ce4
-
SSDEEP
49152:Z9yPOk0SJEyyD1ICggRhIBFtVihl8Tcm8gJ4UBgjnum6lc:FkOp+FtVihHLgJ4UBgr
Score10/10-
Blocklisted process makes network request
-
-
-
Target
xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
-
Size
16KB
-
MD5
fe154267585de18c4720ef67c26ba17a
-
SHA1
a2839f79014c2cbb610b7e15168e841bf745d237
-
SHA256
d7f315ee9327145bcff84eee2341306aea186b768c25c86cacc15c33d87776fb
-
SHA512
90d77749804f7f03e4e759d06313360bd0a93a884d133c31f4819666253a479eb25e3d35c54fea260a4d742faa21bcd45369bb92185b23e19d34c1d7ed0ea411
-
SSDEEP
384:NuhFHfZTnoE+ibQCbbW0Xjt2Jpu5gRiSltXLcqK1180weK2:NuL/ZTPzz5FSlt4qK1jw+
Score1/10 -