General

  • Target

    33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64

  • Size

    5.6MB

  • Sample

    240831-qgz3aavgjm

  • MD5

    528be357068444851c5194a3a4ad04e6

  • SHA1

    d37b162402783415908a583be6fcc169411933f1

  • SHA256

    33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64

  • SHA512

    5fe6cdfb3b14a897f5496c40fd3037a560bcac7338ea4174ee96f6a8bf755baaf0aa4656d8aa12648c8557a8c2b4a88cdc88e115d6d2509f0dd2bc4beae80dec

  • SSDEEP

    98304:Az0tpywzPOFSPnUXJFerrlcDN8Xe6OlcfNCPs55y1uB/HfFxH5mIi:i0tg9ynA+rlcD0e6OafNlTy1w/HfFHmZ

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://120.26.241.224:52847/__utm.gif

Attributes
  • access_type

    512

  • host

    120.26.241.224,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    52847

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSyBVvMd4tLh9+W9CJyVRvl+G/u3JfXaJ2+oaSVpYZ9gTk8AoDgaXE54lJHbTNz3TYoJzu9+pl2qsX2G+E+xziM3hTLoaBctIrY0iZiZQmRd0a6yds4ZAs7TIOTXqPP0kjPEOI+5JTx0uwCPC9Z6zCA2XbbvAfku4FuQAttCPWBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64

    • Size

      5.6MB

    • MD5

      528be357068444851c5194a3a4ad04e6

    • SHA1

      d37b162402783415908a583be6fcc169411933f1

    • SHA256

      33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64

    • SHA512

      5fe6cdfb3b14a897f5496c40fd3037a560bcac7338ea4174ee96f6a8bf755baaf0aa4656d8aa12648c8557a8c2b4a88cdc88e115d6d2509f0dd2bc4beae80dec

    • SSDEEP

      98304:Az0tpywzPOFSPnUXJFerrlcDN8Xe6OlcfNCPs55y1uB/HfFxH5mIi:i0tg9ynA+rlcD0e6OafNlTy1w/HfFHmZ

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks