General
-
Target
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
-
Size
565KB
-
Sample
240410-mmcbmaff4t
-
MD5
11f483182a6d4f1a0dd2682e58b4eaf0
-
SHA1
57ebd92b2f0c2269a3aa1aea74498a44041ecc75
-
SHA256
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
-
SHA512
028e321cf5bdde26660f98477fbbc23607f48a724ecbfd6041969828c09b10e0f0603c1551f63f998a9b6c4964363bbd6f4b4fbd2fea07bc2f42fe57fdaca144
-
SSDEEP
6144:8M1HMUCuFyhyGUKnjZ0dxuhUMA3eIJuMPJCVy+tPXbLE8x/RSI2SS:8MaUCAwUMZ0PRJZMBPbLE8x
Malware Config
Extracted
cobaltstrike
426352781
http://www.vietsovspeedtest.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
2048
-
host
www.vietsovspeedtest.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAeSG9zdDogd3d3LnZpZXRzb3ZzcGVlZHRlc3QuY29tAAAABwAAAAAAAAADAAAAAgAAAA5zZXNzaW9uLXRva2VuPQAAAAIAAAAMc2tpbj1ub3NraW47AAAAAQAAACxjc20taGl0PXMtMjRLVTExQkI4MlJaU1lHSjNCREt8MTQxOTg5OTAxMjk5NgAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAHkhvc3Q6IHd3dy52aWV0c292c3BlZWR0ZXN0LmNvbQAAAAkAAAAKc3o9MTYweDYwMAAAAAkAAAARb2U9b2U9SVNPLTg4NTktMTsAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MzcxNwAAAAkAAAAiZGNfcmVmPWh0dHAlM0ElMkYlMkZ3d3cuYW1hem9uLmNvbQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\mstsc.exe
-
sc_process64
%windir%\sysnative\mstsc.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGZQE/ydtndkV2dxaiulzRfeiGbSezhRB4m/gYcGkmSmo+BzksdxaYy2rWS4PMcYtvUME1tLauZnhDGlzmaWa8L1ilL3LIXq7FC5D/ItspPr3JcHWHjDLY2Trymhb8oIZaBWUc0Q+TgLi32ID+K5PpJAaj9Qkg1Us8sp5pA4+HTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
426352781
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
-
Size
565KB
-
MD5
11f483182a6d4f1a0dd2682e58b4eaf0
-
SHA1
57ebd92b2f0c2269a3aa1aea74498a44041ecc75
-
SHA256
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
-
SHA512
028e321cf5bdde26660f98477fbbc23607f48a724ecbfd6041969828c09b10e0f0603c1551f63f998a9b6c4964363bbd6f4b4fbd2fea07bc2f42fe57fdaca144
-
SSDEEP
6144:8M1HMUCuFyhyGUKnjZ0dxuhUMA3eIJuMPJCVy+tPXbLE8x/RSI2SS:8MaUCAwUMZ0PRJZMBPbLE8x
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-