General
-
Target
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d
-
Size
724KB
-
Sample
240410-mwtl9sda38
-
MD5
bde91a78424fd430ff76a35e0f13b261
-
SHA1
f30cd68daf082becf0eac8efaaeb4bfe14396144
-
SHA256
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d
-
SHA512
465df8a1e6878c1bcc886db6cd194d535e9f4db27c1cc197b4708b331d0d02dbe06a78e0c2394f0f2c7550ccf84ad9fecc9c55d88129ce68a486d3f4027e0f9a
-
SSDEEP
12288:PqhYIofbUkXpagXo2+S+TRclgcPyxXAMr7GzC8tnfESG9W1SOkOWZm2SZYiZBKPX:PO50YkW2+NTRiqxwpzdZsSVsOmmR3Zk3
Malware Config
Extracted
cobaltstrike
426352781
http://pypi.python.org:443/latest/pip-check
-
access_type
512
-
beacon_type
2048
-
host
pypi.python.org,/latest/pip-check
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAdfX3V0bXo9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAGX191dG16AAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmV0fCtMxIXtGF3+FyYKSiU1yVjtm3FlG6Mej3iMRBgSTd45Sa41JLXaoOjKxePWNN4wyUUInzIPEYA6fdx4N/+zwru33xzNAdipcbN3RLZg8v3s8Zu6vVXoj7apcBJy2ObQsYhoYAialaTKe4dWOVnbUJK46Ve8gDPeudH52IRQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.733629184e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAoAAAACAAAAAAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/latest/check
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
-
watermark
426352781
Targets
-
-
Target
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d
-
Size
724KB
-
MD5
bde91a78424fd430ff76a35e0f13b261
-
SHA1
f30cd68daf082becf0eac8efaaeb4bfe14396144
-
SHA256
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d
-
SHA512
465df8a1e6878c1bcc886db6cd194d535e9f4db27c1cc197b4708b331d0d02dbe06a78e0c2394f0f2c7550ccf84ad9fecc9c55d88129ce68a486d3f4027e0f9a
-
SSDEEP
12288:PqhYIofbUkXpagXo2+S+TRclgcPyxXAMr7GzC8tnfESG9W1SOkOWZm2SZYiZBKPX:PO50YkW2+NTRiqxwpzdZsSVsOmmR3Zk3
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-