General
-
Target
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
-
Size
1.4MB
-
Sample
240524-dfh16aag2x
-
MD5
5fa12e1523d8a684f524d1a41c06a7a7
-
SHA1
277d2b8405df0ac7700f0e835e10c1bd1fcf98ee
-
SHA256
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
-
SHA512
0017313f16254a566d17e7b306df3f3b70cd23b868dc8501d02e3f084fe204f9ca20189a6e8470391f2b8baf5a89f26d2d97d0799664dbc93f425916c49d0033
-
SSDEEP
24576:Mcrm44B9NlSN7s+GK5aOQ5I2FfPqVFXp+5HvsMu7X9OrIAKQa8HjJrx91YMZHVSv:HrmnbNUN79naf5RfEp+5HvUhOy34JF9R
Static task
static1
Behavioral task
behavioral1
Sample
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
cobaltstrike
305419896
http://49.235.206.130:443/FC001/JOHN
-
access_type
512
-
host
49.235.206.130,/FC001/JOHN
-
http_header1
AAAAEAAAABhIb3N0OiBmdWNrdW1hbi5nb29nbGUuY24AAAAKAAAAFkNvbm5lY3Rpb246IEtlZWwtQWxpdmUAAAAHAAAAAAAAAAsAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAAEAAAABdIb3N0OiBmdWNrdW1hbi5nb29sZS5jbgAAAAoAAAAWQ29ubmVjdGlvbjogS2VlbC1BbGl2ZQAAAAcAAAAAAAAACwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
maxdns
255
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/FC002/JOHN-
-
user_agent
Microsoft Internet Explorer
-
watermark
305419896
Targets
-
-
Target
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
-
Size
1.4MB
-
MD5
5fa12e1523d8a684f524d1a41c06a7a7
-
SHA1
277d2b8405df0ac7700f0e835e10c1bd1fcf98ee
-
SHA256
e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
-
SHA512
0017313f16254a566d17e7b306df3f3b70cd23b868dc8501d02e3f084fe204f9ca20189a6e8470391f2b8baf5a89f26d2d97d0799664dbc93f425916c49d0033
-
SSDEEP
24576:Mcrm44B9NlSN7s+GK5aOQ5I2FfPqVFXp+5HvsMu7X9OrIAKQa8HjJrx91YMZHVSv:HrmnbNUN79naf5RfEp+5HvUhOy34JF9R
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-