General
-
Target
0be8a6ef98747e0efd13917d93bf0999b728588b29f4e24d3ee23e26314a1a1a
-
Size
835KB
-
Sample
240410-lhjpgadg8v
-
MD5
813a4a9d2cc9ec35fdf749b33c54a352
-
SHA1
2c5dd6e11b6607dc15e9d44d1e226fb9c6105ca6
-
SHA256
0be8a6ef98747e0efd13917d93bf0999b728588b29f4e24d3ee23e26314a1a1a
-
SHA512
4b680df7163f2d337e009367b58813d2d590779dbee5e9e539449a0fa71fffd65be332a86485a40828fc287c6a9da3a236f6359da41641d7ec1618c18cba9fea
-
SSDEEP
12288:6JI0yDMmHPy/1RgWRnIVIfBEftPRLnX+//DNCfUmVd2y24TaYreyFBY39pagw1sL:oKW/1RFxs7LXw/DY3FAVw1kY9O0twNAm
Malware Config
Extracted
cobaltstrike
1580103824
http://185.225.73.238:443/sub/blogger/HZKP73EU
-
access_type
512
-
beacon_type
2048
-
host
185.225.73.238,/sub/blogger/HZKP73EU
-
http_header1
AAAACgAAADpBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgYXBwbGljYXRpb24vanNvbiwgdGV4dC9odG1sAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IHZlAAAACgAAAB1BY2NlcHQtRW5jb2Rpbmc6IGlkZW50aXR5LCBicgAAAAcAAAAAAAAADwAAAA0AAAACAAAAH1NFU1NJT05JRF9XM1U4STFVNUFQVlVIVVJVNVVFUj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACtBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKiwgdGV4dC9odG1sAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVzLWVjAAAACgAAAB1BY2NlcHQtRW5jb2Rpbmc6IGJyLCBjb21wcmVzcwAAAAcAAAAAAAAADwAAAA0AAAAFAAAACV9VV1lKUlZBRQAAAAcAAAABAAAADwAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8704
-
polling_time
66886
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe -o enable
-
sc_process64
%windir%\sysnative\DevicePairingWizard.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDjafSAG/t5AV7MoJ0+yfqNVP8VKHTcWG23Xwqeq+bC34ftgavpOGxc90RaJYkBZQfMrMG2vVGWBcJjYS9OpN0RgqnTKV7X386f0joSLS9E/wKAP7GwQKUwjE7xZVlzelWDQBRq7/OaBXAF405hSi4eRWAuEIZeAWk8/irwifE5wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.241980928e+09
-
unknown2
AAAABAAAAAEAAAOhAAAAAgAAA6EAAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/upset/W/JQ7WJZ2NU3
-
user_agent
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
-
watermark
1580103824
Targets
-
-
Target
0be8a6ef98747e0efd13917d93bf0999b728588b29f4e24d3ee23e26314a1a1a
-
Size
835KB
-
MD5
813a4a9d2cc9ec35fdf749b33c54a352
-
SHA1
2c5dd6e11b6607dc15e9d44d1e226fb9c6105ca6
-
SHA256
0be8a6ef98747e0efd13917d93bf0999b728588b29f4e24d3ee23e26314a1a1a
-
SHA512
4b680df7163f2d337e009367b58813d2d590779dbee5e9e539449a0fa71fffd65be332a86485a40828fc287c6a9da3a236f6359da41641d7ec1618c18cba9fea
-
SSDEEP
12288:6JI0yDMmHPy/1RgWRnIVIfBEftPRLnX+//DNCfUmVd2y24TaYreyFBY39pagw1sL:oKW/1RFxs7LXw/DY3FAVw1kY9O0twNAm
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-