cobaltstrike | 5ffe0e177b22c8e7ddb295b461dda2ce7e69a6938b99a2ac647296a4fb306164

General

Target

5ffe0e177b22c8e7ddb295b461dda2ce7e69a6938b99a2ac647296a4fb306164
Size

259KB
Sample

240909-q9gfmstgjf
MD5

62054423fd0e8f1a7ee379a21fe72ac6
SHA1

95386a0578cbf8857fc00a8739aea8e4316d15c7
SHA256

5ffe0e177b22c8e7ddb295b461dda2ce7e69a6938b99a2ac647296a4fb306164
SHA512

832d6b1d405f589d9b97808140ae9e6b7bd715a5bd9d24cc607a031e47fea882058d6e19bf68f79cac8e266fe81bdda7f2a663c81ff212da827786b5d402d773
SSDEEP

6144:fJqKG5d1IpMyibgkTZI6jHID90atBXHH/:f6d6tevoxdBX/

Score

10^/10

cobaltstrike 100000000

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://47.98.108.216:28962/cgi-bin/scanloginqrcode

Attributes

access_type
512
beacon_type
2048
host
47.98.108.216,/cgi-bin/scanloginqrcode
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAACgAAACJSZWZlcmVyOiBodHRwczovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAANAAAAAgAAAAVBTklEPQAAAAIAAAAZX19TZWN1cmUtM1BBUElTSUQ9bm9za2luOwAAAAEAAAAjO0NPTlNFTlQ9WUVTK0NOLnpoLUNOKzIwMjEwOTE3LTA5LTAAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgT3JpZ2luOiBodHRwczovL21wLndlaXhpbi5xcS5jb20AAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAABwAAAAAAAAANAAAABQAAAAhfX2Zvcm1pZAAAAAkAAAASYWxidW1fY292ZXI9TEhJQlR0AAAACQAAABFhcmNoaXZlaWQ9SmxjblRXSgAAAAkAAAAXdXNlcl9ub3RpY2U9VWt1ckN4SGZ4dFMAAAAHAAAAAQAAAA0AAAACAAAAKmFpZF89NTIyMDA1NzA1JmFjY3Zlcj0xJnNob3d0eXBlPWVtYmVkJnVhPQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
1536
polling_time
51000
port_number
28962
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvGm6ppLc+fIWUcbnSJ3Ea1wjACgxzC5RP1jBpeNIBEvpInaUcLuATSrynhOk6RD0NZ6ZU3dsVUo9i0LAhjnGgMmg2CjioTtwNEwnaBYbNa3EgHkZtvVM4DswNUMvJVY7sl9Kfqa8pWtIeWPXvpPQlAPpPM2SSw+6NU5coMh27nQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.56028928e+09
unknown2
AAAABAAAAAEAAAAfAAAAAgAAAB8AAAACAAAAHwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/cgi-bin/bizlogin
user_agent
Opera/8.98.(Windows CE; ko-KR) Presto/2.9.170 Version/11.00
watermark
100000000

Targets

- Target
  
  5ffe0e177b22c8e7ddb295b461dda2ce7e69a6938b99a2ac647296a4fb306164
- Size
  
  259KB
- MD5
  
  62054423fd0e8f1a7ee379a21fe72ac6
- SHA1
  
  95386a0578cbf8857fc00a8739aea8e4316d15c7
- SHA256
  
  5ffe0e177b22c8e7ddb295b461dda2ce7e69a6938b99a2ac647296a4fb306164
- SHA512
  
  832d6b1d405f589d9b97808140ae9e6b7bd715a5bd9d24cc607a031e47fea882058d6e19bf68f79cac8e266fe81bdda7f2a663c81ff212da827786b5d402d773
- SSDEEP
  
  6144:fJqKG5d1IpMyibgkTZI6jHID90atBXHH/:f6d6tevoxdBX/
Score

1^/10
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2