General

  • Target

    8a2864343f6bcfaee70831502bcb0583d08f512a1d9661c9544a1b48bedc7dc4

  • Size

    1.2MB

  • Sample

    241009-flzl7sthqf

  • MD5

    14957914ed9e058fe19b9bab3deff66c

  • SHA1

    50b860c5b6c7f345f51a9df53e94fbdb8916b313

  • SHA256

    8a2864343f6bcfaee70831502bcb0583d08f512a1d9661c9544a1b48bedc7dc4

  • SHA512

    9a7826e3d614cf73574c2f0211533200b61342218f8ea71a9f704ba5bebfe085ba9e9465f7eb52bbfd666f7faf3b9d46879c10e1d5d6bddad23a32a8da1f117a

  • SSDEEP

    12288:3tryD3o1ItVEXqOjHhvLYTjqfif4/FRB/PGBjLVxsOzMz7/4+HVLy3ESVofxjKMT:3teDqeUq8jYTan/WLjwXkkKMT

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://8.134.222.247:8989/IE9CompatViewList.xml

Attributes
  • access_type

    512

  • host

    8.134.222.247,/IE9CompatViewList.xml

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8989

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeUyUY/a9QjDsqDoLVpid6eGnWeKLHTyT2ZElPtkCNBIvEH+jMnCU8nDyljJr2v0pX1LzDVBkuzbWHQfAiiIiPEZCfMFN7okU4BeOo1rvbwCQ6U3vmWf12yXhxAfzgZLl6UIzBzWYaO0BnMW2PRar46KI81a9Zx1Z72AvzmsGR4wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)

  • watermark

    391144938

Targets

    • Target

      8a2864343f6bcfaee70831502bcb0583d08f512a1d9661c9544a1b48bedc7dc4

    • Size

      1.2MB

    • MD5

      14957914ed9e058fe19b9bab3deff66c

    • SHA1

      50b860c5b6c7f345f51a9df53e94fbdb8916b313

    • SHA256

      8a2864343f6bcfaee70831502bcb0583d08f512a1d9661c9544a1b48bedc7dc4

    • SHA512

      9a7826e3d614cf73574c2f0211533200b61342218f8ea71a9f704ba5bebfe085ba9e9465f7eb52bbfd666f7faf3b9d46879c10e1d5d6bddad23a32a8da1f117a

    • SSDEEP

      12288:3tryD3o1ItVEXqOjHhvLYTjqfif4/FRB/PGBjLVxsOzMz7/4+HVLy3ESVofxjKMT:3teDqeUq8jYTan/WLjwXkkKMT

MITRE ATT&CK Matrix

Tasks