General
-
Target
43780b5d07144e9fd0f547333148f002.exe
-
Size
16KB
-
Sample
240503-lfbk3sde93
-
MD5
43780b5d07144e9fd0f547333148f002
-
SHA1
c4a1e189c6707d4af8e5652a58e2d1d92c073ecc
-
SHA256
dc460f03652eb64c6aeb07a3684780dda19d55dc7e80cc470b61eb2d22b4772c
-
SHA512
a2fcf87c69c0e1d96b3f86e29c89187edc4eafb6aef19592fb4dc1d4cb5be831c13d80509a5bcf6ae48075eb6f16ce9486e5b16d7ac71d479b407862e4489149
-
SSDEEP
384:qktbUK2aFt/faevMcvojAC+DLbs6Od50mzhEIp8:J1/fFMcv2+nbodCR
Malware Config
Extracted
metasploit
windows/download_exec
http://207.148.109.8:443/sig32.gif
Extracted
cobaltstrike
100000000
http://207.148.109.8:443/ptj
-
access_type
512
-
beacon_type
2048
-
host
207.148.109.8,/ptj
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAATEFjY2VwdC1MYW5ndWFnZTogemgtQ04semg7cT0wLjgsemgtVFc7cT0wLjcsemgtSEs7cT0wLjUsZW4tVVM7cT0wLjMsZW47cT0wLjIAAAAKAAAAXFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwMi4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwMi4wAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAGFNlYy1GZXRjaC1EZXN0OiBkb2N1bWVudAAAAAcAAAAAAAAADQAAAAUAAAACd2EAAAAJAAAADnBhdGg9L2NhbGVuZGFyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAQAAAA0AAAAFAAAAAndhAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAJU1TMD0xYWZkNGZiMzc5NzE0MzU3YTU5NTMyYTI0YmVmNTJiNDsAAAACAAAAK0VYUElEPTMwN2Y3ZWRkLWIwN2ItNGJkNC1iZThhLTE2ZmYyYTlhM2U0NzsAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10240
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFmCVAqjwVXuM7g1vpo6ws7F+89TG0j5DCCRZfoZgIoX/jC+Up1bO/cQEM8vbtN5DBXbM/fGccz/PaIU+FnDwN1pCtQkzmF7yvQlPeTsKLNRPWe+HbkFdFgx01MKs9suqkR0K+kN25zEqFkboK0/TnaNbCV7dOLkfXXNiphNvoywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.50
-
watermark
100000000
Targets
-
-
Target
43780b5d07144e9fd0f547333148f002.exe
-
Size
16KB
-
MD5
43780b5d07144e9fd0f547333148f002
-
SHA1
c4a1e189c6707d4af8e5652a58e2d1d92c073ecc
-
SHA256
dc460f03652eb64c6aeb07a3684780dda19d55dc7e80cc470b61eb2d22b4772c
-
SHA512
a2fcf87c69c0e1d96b3f86e29c89187edc4eafb6aef19592fb4dc1d4cb5be831c13d80509a5bcf6ae48075eb6f16ce9486e5b16d7ac71d479b407862e4489149
-
SSDEEP
384:qktbUK2aFt/faevMcvojAC+DLbs6Od50mzhEIp8:J1/fFMcv2+nbodCR
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request
-
Suspicious use of SetThreadContext
-