Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2024-06-09_2b1cd3e00b5ba3df3b0328aeb5876ea5_cobalt-strike_cobaltstrike_ryuk
-
Size
1.9MB
-
Sample
240609-lg7d5she29
-
MD5
2b1cd3e00b5ba3df3b0328aeb5876ea5
-
SHA1
d736463ea5745e158c34e073145a4815075a6fb2
-
SHA256
72a0d983693ffa95d76976efc9dc329450899f09cbbfc610b3d29e0fbdc620ba
-
SHA512
1a4cfff08b1355da5571a58ab5c13ce7b558febac56b596575d7e00623619df066d98c536be81173b460ffce683ca197bf14b063050ae6d00ac70542fb120b68
-
SSDEEP
24576:CNAqOAHzeEevemDMUnr1UE2XCCWiFNJRjlI1kmt22+GPjRREw/TQy0z/9we:zDASDMURCfjlI1aK
Malware Config
Extracted
cobaltstrike
100000000
http://oss-ap-northeast-1.aliyunesc.com:443/logstores/web/track
-
access_type
512
-
beacon_type
2048
-
host
oss-ap-northeast-1.aliyunesc.com,/logstores/web/track
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAiQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlLCBicgAAABAAAAAmSG9zdDogb3NzLWFwLW5vcnRoZWFzdC0xLmFsaXl1bmVzYy5jb20AAAAKAAAAIU9yaWdpbjogaHR0cHM6Ly9zdGF0dXMuYWxpeXVuLmNvbQAAAAoAAAAiUmVmZXJlcjogaHR0cHM6Ly9zdGF0dXMuYWxpeXVuLmNvbQAAAAcAAAAAAAAADQAAAAIAAAAKaGVscF9jc3JmPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAQAAAAJkhvc3Q6IG9zcy1hcC1ub3J0aGVhc3QtMS5hbGl5dW5lc2MuY29tAAAACgAAAE1BdXRob3JpemF0aW9uOiBTVFMuTlRvYkZ1WVluNkVCeEFWaEMxOHRhVW94Y2lzOmdTMDlrOGE4ZkR3d2dSMGV5OUllQ0Z1TmZyeHBTQQAAAAoAAAAtQ29udGVudC1NRDU6IDg2RTRDRDExRkYxMjBDNDFDQzBDMjZCM0Q1MTlBQzYyAAAABwAAAAAAAAAPAAAADQAAAAUAAAAOWC1BQ0NFU1MtVE9LRU4AAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
35000
-
port_number
443
-
sc_process32
%windir%\syswow64\svchost.exe -k netsvcs
-
sc_process64
%windir%\sysnative\svchost.exe -k netsvcs
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAGo2mSS56xc1gxUYOjN+RphQu6wlY6A7G2GZ41QgxVEKKlE2obIvYnsqQd20lzowy1uxNHNB+UTQkd50Bx/3YyF6u7OGUvH0u2OpARSsyKflRNl66Yu+JD/dRm1iHvwhRBI9dtEqY+XhBJtoS3cPbOn9mYcSNdxwqXMyMZCsIwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/logstores/server/trackers.log
-
user_agent
HTTPie/3.1.6
-
watermark
100000000
Targets
-
-
Target
2024-06-09_2b1cd3e00b5ba3df3b0328aeb5876ea5_cobalt-strike_cobaltstrike_ryuk
-
Size
1.9MB
-
MD5
2b1cd3e00b5ba3df3b0328aeb5876ea5
-
SHA1
d736463ea5745e158c34e073145a4815075a6fb2
-
SHA256
72a0d983693ffa95d76976efc9dc329450899f09cbbfc610b3d29e0fbdc620ba
-
SHA512
1a4cfff08b1355da5571a58ab5c13ce7b558febac56b596575d7e00623619df066d98c536be81173b460ffce683ca197bf14b063050ae6d00ac70542fb120b68
-
SSDEEP
24576:CNAqOAHzeEevemDMUnr1UE2XCCWiFNJRjlI1kmt22+GPjRREw/TQy0z/9we:zDASDMURCfjlI1aK
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts
-