General
-
Target
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
-
Size
1.7MB
-
Sample
240410-qlbkgscc3z
-
MD5
52c5b5e9a2ec443769dba5f44c83d7de
-
SHA1
662d28032eec0ce9ab7e90a7695072a7285a53e2
-
SHA256
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
-
SHA512
ca53e9bf449603878492e3b7911f7b841caf5dbb6700a19444c96f8cb7332d38766e8870d23ec938433f12b4553c908ca93d90690baaa73168dbc42f5e4ca696
-
SSDEEP
24576:6KqNDKw8/TOrgMwVTRhsnaIuaSxdy3rzn2PrSS6s3QVKKKemf8s7V/OeVq26SE7y:6KaKw8tIuaSxhu7m8gVxA26by
Malware Config
Extracted
cobaltstrike
1580103824
http://136.144.41.177:80/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/
-
access_type
512
-
host
136.144.41.177,/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/
-
http_header1
AAAAEAAAABBIb3N0OiBzeXJpYWhyLmV1AAAACgAAAEVBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LC87cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAADlBSRUY9SUQ9ejE0YmhHAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABBIb3N0OiBzeXJpYWhyLmV1AAAACgAAAEVBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LC87cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAClU9LUI3QmdsdWsAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7168
-
polling_time
75000
-
port_number
80
-
sc_process32
%windir%\syswow64\svchost.exe
-
sc_process64
%windir%\sysnative\svchost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGr/tvnntyVacaxyxESQ/CzQ4R6bzdtF706a73hDZebhwe0JKHOCLGp8tRugsEBzUuDQAKbzD4Fti7XIgcaANZeLxKJ/ZnL5PRS02VtUYTeR8sqi2NG9sHkPIlAQmTYJebx3ffH0FAUukAGdx6X4bgdZEGUJrFyTIKhxY3vp1fbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/nzXlLVas-VALvDh9lopkC/avp/amznussraps/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36/e4ECaCzC-37
-
watermark
1580103824
Targets
-
-
Target
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
-
Size
1.7MB
-
MD5
52c5b5e9a2ec443769dba5f44c83d7de
-
SHA1
662d28032eec0ce9ab7e90a7695072a7285a53e2
-
SHA256
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a
-
SHA512
ca53e9bf449603878492e3b7911f7b841caf5dbb6700a19444c96f8cb7332d38766e8870d23ec938433f12b4553c908ca93d90690baaa73168dbc42f5e4ca696
-
SSDEEP
24576:6KqNDKw8/TOrgMwVTRhsnaIuaSxdy3rzn2PrSS6s3QVKKKemf8s7V/OeVq26SE7y:6KaKw8tIuaSxhu7m8gVxA26by
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-
Adds Run key to start application
-