General
-
Target
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
-
Size
1.5MB
-
Sample
240520-rmg94aec4t
-
MD5
6af1015805cee45d24566eee7431103c
-
SHA1
e4b02689e876cf59a0b93fa9b32d410fd89b4cea
-
SHA256
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
-
SHA512
fa6555e53a9ba85747d3926de2fdc7e132635597c75b4e7f7004917eb6ff7cfa50d4c0c71a978582153584c0615bdfefbcaef151a83abce2a0470baec94411a7
-
SSDEEP
24576:I062cSEk8zN/E/F7KcdIw+80zIGwTxgLUX6JyzARFErCX1maX5Vwn9+P7k9:r6PaFF7KcdIw+8UPyaLUXe/bI9
Malware Config
Extracted
cobaltstrike
391144938
http://update.office365update.cn:443/mall_100_100.html
-
access_type
512
-
beacon_type
2048
-
host
update.office365update.cn,/mall_100_100.html
-
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABpSZWZlcmVyOiBodHRwczovLzEwMDg2LmNuLwAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAMFJlZmVyZXI6IGh0dHBzOi8vc2hvcC4xMDA4Ni5jbi9tYWxsXzEwMF8xMDAuaHRtbAAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFHNyY2hmcm9tPW5SS2p4elpSUnh4AAAACQAAABJmaWVsZG5hbWU9Q3pMdUV4S2wAAAAJAAAAFHNlYXJjaHNvcnRpZD1NYnpTRW5CAAAABwAAAAEAAAANAAAAAgAAACphaWRfPTUyMjAwNTcwNSZhY2N2ZXI9MSZzaG93dHlwZT1lbWJlZCZ1YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwG1R55+sOREfylofqBeaqAvF24HTL2Zygd7+BdNUEql/sCXhTpUVcXJUaxSDZvZkozlmta5SxWWMUKiGlzWeXO41sFUL5wo3LGr8BTn+YEdQ3AW8e42ZTNsqAXbAxRUQNhAyYakslZs9N8LMr1S7sqkNnghIJIxh/+o3ZHQ0kHwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.03243264e+08
-
unknown2
AAAABAAAAAEAAAglAAAAAgAACCUAAAACAAACyAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ajax/recharge/recharge.json
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
391144938
Targets
-
-
Target
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
-
Size
1.5MB
-
MD5
6af1015805cee45d24566eee7431103c
-
SHA1
e4b02689e876cf59a0b93fa9b32d410fd89b4cea
-
SHA256
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
-
SHA512
fa6555e53a9ba85747d3926de2fdc7e132635597c75b4e7f7004917eb6ff7cfa50d4c0c71a978582153584c0615bdfefbcaef151a83abce2a0470baec94411a7
-
SSDEEP
24576:I062cSEk8zN/E/F7KcdIw+80zIGwTxgLUX6JyzARFErCX1maX5Vwn9+P7k9:r6PaFF7KcdIw+8UPyaLUXe/bI9
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-