General
-
Target
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1
-
Size
4.0MB
-
Sample
240410-mgzvqsfd5x
-
MD5
9aad734bc59b22f393ae53220546f025
-
SHA1
36967195eca702a09b39108d9a9b91a8f4b5685f
-
SHA256
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1
-
SHA512
134f752a79e165056126a34b19f90d472f3de4b43ecbc4705d0751609056cba128caf74208dd34ce1fafe19d056be7a3c632f1e36abdf4258d00ef7e5e6bf329
-
SSDEEP
98304:qDLdL1cx6SgTFmbV39IRS9OZC3N6UHY6y6ndu:0L3cxiFmbtqQxjD
Malware Config
Extracted
cobaltstrike
426352781
http://docs.python.org:443/3/_static/documentation_options.js
-
access_type
512
-
beacon_type
2048
-
host
docs.python.org,/3/_static/documentation_options.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAdfX3V0bXo9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAGX191dG16AAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyXvw9mY/QkP1Wh8AN0IsHib9vHQHvto8stMBDs1V4eKwF4XsKjkbOVrUHNk1kYcKXxfTrEFtUqQ1uOd5UUThdsbkZRNfX6mQdVr8KlUfdtGt3HpbTfp/YHAKPcXY4mxxzJ81rm77RYELtClUY8VsHwU4cXaJzRV1zD75ZmG8+iQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.733629184e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAoAAAACAAAAAAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/3/_static
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
-
watermark
426352781
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1
-
Size
4.0MB
-
MD5
9aad734bc59b22f393ae53220546f025
-
SHA1
36967195eca702a09b39108d9a9b91a8f4b5685f
-
SHA256
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1
-
SHA512
134f752a79e165056126a34b19f90d472f3de4b43ecbc4705d0751609056cba128caf74208dd34ce1fafe19d056be7a3c632f1e36abdf4258d00ef7e5e6bf329
-
SSDEEP
98304:qDLdL1cx6SgTFmbV39IRS9OZC3N6UHY6y6ndu:0L3cxiFmbtqQxjD
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-