General

  • Target

    fa54e7eaa471c48da5e8d87cf8cd1af50fb2ff6b216c9c2121efa8aecf7f6015.zip

  • Size

    130KB

  • Sample

    241014-v8p4ls1epl

  • MD5

    cbd26c6e9b5c043e210ce099306bc1bb

  • SHA1

    c97b574865fbd17f0697505490fdd7d9f0634a3a

  • SHA256

    790d6e594f9f143c09a6f52944b196b996cce8217155fe0b2cb355de941317e2

  • SHA512

    03e69dfe0a883ccc7624c48522ffe7f17dfc1daf278e7b43e06b8b1c5c079df6f4a38989b9fd9737b03d3022f932c133ec283ee748260f67c0c7ff0c148f3d08

  • SSDEEP

    3072:a1gsJ4HHpF8DZuC+pvUlwJ+3GPwoRqWWk6+LSrqE:qLG5CcvUGK83RxzLSuE

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://101.34.205.237:3456/match

Attributes
  • access_type

    512

  • host

    101.34.205.237,/match

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    3456

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBCdAcGgbmSD8OnY3CXoARWSARv9sdG/r4LvD9JUAmq3RmxdqlXbXPK0DA6j/wrGbB2pnQbZI4BsVEvC8//qXWMSxAiI7IushvndQeJG0a2T1dBidxsoef7wzmj8Gw7lu42PaYOaRQijFCxHLHNUrwpUpweDCjRjQQnyRofQ3A0QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)

  • watermark

    391144938

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      fa54e7eaa471c48da5e8d87cf8cd1af50fb2ff6b216c9c2121efa8aecf7f6015

    • Size

      272KB

    • MD5

      91a3c680cdebe582b363e01bacf7b26a

    • SHA1

      424180860b5547638bfa007adf6c85c4fe45ff71

    • SHA256

      fa54e7eaa471c48da5e8d87cf8cd1af50fb2ff6b216c9c2121efa8aecf7f6015

    • SHA512

      b9d132108be3ca63041a46d6dc96daec2f5557711abcc9b58283206d5415a9232a7883f9af876befd2e64cfb317d8f7c870be6d756018e98336c4093fd1cbbf8

    • SSDEEP

      3072:rzbINhWl+CIbfqqEVxtfg8jtfDCJS4l9JTFyG+JteEzCnL7zfGIkfhUYJF6vzHkN:rzbUWootfDCvT4ZTXzCLmIk5UDSrKM

MITRE ATT&CK Matrix

Tasks