General
-
Target
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593
-
Size
6.1MB
-
Sample
240410-lbp8nsad37
-
MD5
f5daa93b81be67cfd79a403d5a8a7ed8
-
SHA1
9a218d3e65b974ab1bc9fa364a5597df0beddb72
-
SHA256
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593
-
SHA512
b223db7541c4c5733d6da1e185042e910cda0b3503f046c9f343bd9ecdff3a7162c2a3abd6038013ac857ca875f03f0516f5e6439311f1c7aa5008db5c5397fd
-
SSDEEP
196608:7D1K5W5Zj7xEcF/zMV5C/Gb9bcxcHFhpHn:75KU55xEErMVQ/sbcux
Malware Config
Extracted
cobaltstrike
426352781
http://docs.python.org:443/latest/pip-check
-
access_type
512
-
beacon_type
2048
-
host
docs.python.org,/latest/pip-check
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAdfX3V0bXo9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAGX191dG16AAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT5/xLtdf0mfbAZ1SOgtXZAyKkM34KWqpUdp4aKli2SeQo2+hL+WTcphBl+t+zIIuiCChggLxQUGMFy0jqJDrYpjcGguHFB4A8I1/otg9K+fNOJ53iEO6Gs89KUZ4kfLYwCcyhaKML+kuLs6nxrEDmKrmAsrtP3L8vpAtWqqthFQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.733629184e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAoAAAACAAAAAAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/latest/check
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
-
watermark
426352781
Targets
-
-
Target
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593
-
Size
6.1MB
-
MD5
f5daa93b81be67cfd79a403d5a8a7ed8
-
SHA1
9a218d3e65b974ab1bc9fa364a5597df0beddb72
-
SHA256
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593
-
SHA512
b223db7541c4c5733d6da1e185042e910cda0b3503f046c9f343bd9ecdff3a7162c2a3abd6038013ac857ca875f03f0516f5e6439311f1c7aa5008db5c5397fd
-
SSDEEP
196608:7D1K5W5Zj7xEcF/zMV5C/Gb9bcxcHFhpHn:75KU55xEErMVQ/sbcux
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-