General
-
Target
f7c6bae3e15d9533f95b303df6f6add6296cce5ee70e5d5f873a2fa2f5a52c5d
-
Size
523KB
-
Sample
240519-wxh2labc31
-
MD5
33ea69e722ac8f54df606396209cb040
-
SHA1
f0353ec273d6bc768fda154800ea2f8ba4d42283
-
SHA256
f7c6bae3e15d9533f95b303df6f6add6296cce5ee70e5d5f873a2fa2f5a52c5d
-
SHA512
60796d69fcffa5a89ad7598fcf3a166aefc1c6ea05eb7b1a6cf6674ae1b21635b420fd7de5ea511db9b3cc0a3327c06d755d16eea49a993a069431a1689e3d80
-
SSDEEP
12288:EyTbxV79oq9ovrORanQ8xFKqm4ogFAU3jar:EyTbBo5vrORar35X3mr
Malware Config
Extracted
cobaltstrike
206546002
http://citrixworkspacers.com:8443/mobile-home.html
http://www.citrixworkspacers.com:8443/ee.html
http://secure.citrixworkspacers.com:8443/eo.html
-
access_type
512
-
beacon_type
2048
-
host
citrixworkspacers.com,/mobile-home.html,www.citrixworkspacers.com,/ee.html,secure.citrixworkspacers.com,/eo.html
-
http_header1
AAAAEAAAABtIb3N0OiBjaXRyaXh3b3Jrc3BhY2Vycy5jb20AAAAKAAAAEUNvbm5lY3Rpb246IENsb3NlAAAACgAAABJBY2NlcHQ6IGltYWdlL2pwZWcAAAAHAAAAAAAAAA8AAAADAAAAAgAAACt3b3JkcHJlc3NfNTIyMzg1NThlOTMwZjFlYzY5OWU0ZjEyYWIwMTVhNGY9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABtIb3N0OiBjaXRyaXh3b3Jrc3BhY2Vycy5jb20AAAAKAAAAEUNvbm5lY3Rpb246IENsb3NlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAADQAAAAMAAAACAAAABnRlcm1zPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
21839
-
port_number
8443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/iQCzmFBYUVJ2+eEgzD6SkTt+odT8YoXIEQjp9HtvNA/SPk9R0dDQnfYAMcxec6FedWLiljJ75UdE9zDVyae2BlItqFBS8SrQdP9+jUWOGpZILAe8mwQbwknlupdZ892UgBSxSdftg0Q5Pd5Z8BmqrLngVncgqh/d6PQX8YAGOQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.924877056e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mt
-
user_agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
-
watermark
206546002
Targets
-
-
Target
f7c6bae3e15d9533f95b303df6f6add6296cce5ee70e5d5f873a2fa2f5a52c5d
-
Size
523KB
-
MD5
33ea69e722ac8f54df606396209cb040
-
SHA1
f0353ec273d6bc768fda154800ea2f8ba4d42283
-
SHA256
f7c6bae3e15d9533f95b303df6f6add6296cce5ee70e5d5f873a2fa2f5a52c5d
-
SHA512
60796d69fcffa5a89ad7598fcf3a166aefc1c6ea05eb7b1a6cf6674ae1b21635b420fd7de5ea511db9b3cc0a3327c06d755d16eea49a993a069431a1689e3d80
-
SSDEEP
12288:EyTbxV79oq9ovrORanQ8xFKqm4ogFAU3jar:EyTbBo5vrORar35X3mr
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Deletes itself
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-