General
-
Target
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
-
Size
718KB
-
Sample
240411-bzw11sbh5y
-
MD5
6c0c25445827a1bb55a7b7a53a2173e0
-
SHA1
2e34cc5a0e8d276b5288f4ba493bf36e26d7d51c
-
SHA256
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24
-
SHA512
fa974a3ff032cacf4072eed7ad4def358fabb8d186b5c9b0b50f85c2fd9b337a9c29c5cda0a853abcce9042f7bce8a8f2b991870e9892f4ba51be8b22166f451
-
SSDEEP
384:CqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbW:5mmmmmmmmmmmmmmmmmmW
Malware Config
Extracted
https://store3.gofile.io/download/direct/e63cd175-a3bf-4fbc-87b6-8c237ace143e/hays_compiled_files.pdf
https://store3.gofile.io/download/direct/55478873-a42c-46f8-b63b-60c5031fa485/vad.cmd
Extracted
cobaltstrike
666
http://samsunguniverse.com:443/wp-content/unsalted-condensed-soups/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7372036e+07
-
dns_sleep
8.1297408e+08
-
host
samsunguniverse.com,/wp-content/unsalted-condensed-soups/
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF4otg7PLqPK9DRHSRAWCg2RQ4hXLImgcCXikvdf4N9sFBrpIEQsznrImUwv+9q+7voFNWL8Kh+mkeF+bGKcQCczSXFkKpPYvwwOEQeT8lPfiFAkT/eNHDuZY/xrjA4VMmgBRM3qvPbgi9lCPfOowsx6njNPJIeuQufRDk7p5u5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.154317312e+09
-
unknown2
AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/imagedata/
-
user_agent
Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36
-
watermark
666
Targets
-
-
Target
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
-
Size
718KB
-
MD5
6c0c25445827a1bb55a7b7a53a2173e0
-
SHA1
2e34cc5a0e8d276b5288f4ba493bf36e26d7d51c
-
SHA256
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24
-
SHA512
fa974a3ff032cacf4072eed7ad4def358fabb8d186b5c9b0b50f85c2fd9b337a9c29c5cda0a853abcce9042f7bce8a8f2b991870e9892f4ba51be8b22166f451
-
SSDEEP
384:CqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbW:5mmmmmmmmmmmmmmmmmmW
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-