General

  • Target

    85f1d0f85e5f69b689c6a65d7f84a0f383b0d6fdae26da45261a097c25642afd

  • Size

    873KB

  • Sample

    240802-xkpjaawbml

  • MD5

    1b19d7798601f50954b66dff0b0ad2b7

  • SHA1

    e206cb047c3933481775df187aba460ceeda615b

  • SHA256

    85f1d0f85e5f69b689c6a65d7f84a0f383b0d6fdae26da45261a097c25642afd

  • SHA512

    dd09c5df1f634016227c95c1f1083477b69b8eb553ce9c782690303e7934aa4fef6526a28bc94a169fc4c8cdfd41e6cad6b756ea207a1d12e53fcd8619a2eefc

  • SSDEEP

    12288:+GHCnaomAEg3uPdkgQT+O9xWWBHVYGjggQTivWA2oUiF7X+z8XtNkwCaYkBluxcY:+GHCm8uPdJU59gtwgJ4HhayKchWF2jS

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://192.168.0.101:80/g.pixel

Attributes
  • access_type

    512

  • host

    192.168.0.101,/g.pixel

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEtTBpLeyE18Y56vdbepi+Pdk+1tDrdE8JzHK8k5YIzJ5/ov646BMbQ91LaoohZDk9UBHuklE24FxIBiwXmRMwcU3sFZ/i7GOodebv6DQdcYlWrJlsszieS6S+2RjpKhGOZqBDGOD7mFMkV8/ypfMrdqBhNLvdkulX3L4fPntEoQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0

  • watermark

    100000000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      85f1d0f85e5f69b689c6a65d7f84a0f383b0d6fdae26da45261a097c25642afd

    • Size

      873KB

    • MD5

      1b19d7798601f50954b66dff0b0ad2b7

    • SHA1

      e206cb047c3933481775df187aba460ceeda615b

    • SHA256

      85f1d0f85e5f69b689c6a65d7f84a0f383b0d6fdae26da45261a097c25642afd

    • SHA512

      dd09c5df1f634016227c95c1f1083477b69b8eb553ce9c782690303e7934aa4fef6526a28bc94a169fc4c8cdfd41e6cad6b756ea207a1d12e53fcd8619a2eefc

    • SSDEEP

      12288:+GHCnaomAEg3uPdkgQT+O9xWWBHVYGjggQTivWA2oUiF7X+z8XtNkwCaYkBluxcY:+GHCm8uPdJU59gtwgJ4HhayKchWF2jS

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks