Report Overview

  1. Submitted URL

    43.132.210.16:8090/member/checkpwd.bin

  2. IP

    43.132.210.16

    ASN

    #132203 Tencent Building, Kejizhongyi Avenue

  3. Submitted

    2024-04-26 05:13:11

    Access

    public

  4. Website Title

    about:privatebrowsing

  5. Final URL

    about:privatebrowsing

  6. Tags

  7. urlquery detections

    Malware - Cobalt Strike

Detections

  2. urlquery

    2

  3. Network Intrusion Detection

    0

  4. Threat Detection Systems

    55

Domain Summary

Domain / FQDNRankRegisteredFirst SeenLast Seen
43.132.210.16:8090unknownunknownNo dataNo data

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules
SeverityIndicatorAlert
medium43.132.210.16:8090/member/checkpwd.binDetects Meterpreter Beacon - file K5om.dll
medium43.132.210.16:8090/member/checkpwd.binIdentifies strings used in Cobalt Strike Beacon DLL
medium43.132.210.16:8090/member/checkpwd.binThe CobaltStrike malware family.
medium43.132.210.16:8090/member/checkpwd.binDetects CobaltStrike C2 encoded profile configuration
medium43.132.210.16:8090/member/checkpwd.binDetects CobaltStrike MZ header ReflectiveLoader launcher
medium43.132.210.16:8090/member/checkpwd.binDetects unmodified CobaltStrike beacon DLL
medium43.132.210.16:8090/member/checkpwd.binDetects Cobalt Strike sample from Leviathan report
medium43.132.210.16:8090/member/checkpwd.binDetects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
medium43.132.210.16:8090/member/checkpwd.binDetects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
medium43.132.210.16:8090/member/checkpwd.binDetects CobaltStrike payloads
medium43.132.210.16:8090/member/checkpwd.binCobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
medium43.132.210.16:8090/member/checkpwd.binDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
medium43.132.210.16:8090/member/checkpwd.binVT Research QA uploaded malware - file vqgk.dll
medium43.132.210.16:8090/member/checkpwd.binDetects Meterpreter in-memory
medium43.132.210.16:8090/member/checkpwd.binDetects PowerShell invocation with suspicious parameters
medium43.132.210.16:8090/member/checkpwd.binDetects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
medium43.132.210.16:8090/member/checkpwd.binRule to detect CobaltStrike beacon
medium43.132.210.16:8090/member/checkpwd.binmeth_stackstrings
medium43.132.210.16:8090/member/checkpwd.binCobalt Strike Beacon Payload
medium43.132.210.16:8090/member/checkpwd.binWindows.Trojan.CobaltStrike
medium43.132.210.16:8090/member/checkpwd.binWindows.Trojan.CobaltStrike
medium43.132.210.16:8090/member/checkpwd.binWindows.Trojan.CobaltStrike
medium43.132.210.16:8090/member/checkpwd.binWindows.Trojan.CobaltStrike
medium43.132.210.16:8090/member/checkpwd.binWindows.Trojan.CobaltStrike
medium43.132.210.16:8090/member/checkpwd.binCobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
medium43.132.210.16:8090/member/checkpwd.binDetects win.cobalt_strike.

OpenPhish

No alerts detected


PhishTank

No alerts detected


mnemonic secure dns

No alerts detected


Quad9 DNS
SeverityIndicatorAlert
medium43.132.210.16Sinkholed

ThreatFox

No alerts detected


Files detected

  1. URL

    43.132.210.16:8090/member/checkpwd.bin

  2. IP

    43.132.210.16

  3. ASN

    #132203 Tencent Building, Kejizhongyi Avenue

  1. File type

    PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 5 sections

    Size

    307 kB (307200 bytes)

  2. Hash

    76c45d30c8ef9b62951cfbc04bbf8395

    450c82be718b6060c63dade2ffc823c9858ae40e

    Detections

    AnalyzerVerdictAlert
    Public Nextron YARA rulesmalware
    Detects Meterpreter Beacon - file K5om.dll
    Public Nextron YARA rulesmalware
    Identifies strings used in Cobalt Strike Beacon DLL
    Public Nextron YARA rulesmalware
    The CobaltStrike malware family.
    Public Nextron YARA rulesmalware
    Detects CobaltStrike C2 encoded profile configuration
    Public Nextron YARA rulesmalware
    Detects CobaltStrike MZ header ReflectiveLoader launcher
    Public Nextron YARA rulesmalware
    Detects unmodified CobaltStrike beacon DLL
    Public Nextron YARA rulesmalware
    Detects Cobalt Strike sample from Leviathan report
    Public Nextron YARA rulesmalware
    Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
    Public Nextron YARA rulesmalware
    Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
    Public Nextron YARA rulesmalware
    Detects CobaltStrike payloads
    Public Nextron YARA rulesmalware
    Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
    Public Nextron YARA rulesmalware
    Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
    Public Nextron YARA rulesmalware
    VT Research QA uploaded malware - file vqgk.dll
    Public Nextron YARA rulesmalware
    Detects Meterpreter in-memory
    Public Nextron YARA rulesmalware
    Detects PowerShell invocation with suspicious parameters
    Public Nextron YARA rulesmalware
    Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
    Trellix Threat Reasearch YARA rulesmalware
    Rule to detect CobaltStrike beacon
    YARAhub by abuse.chmalware
    meth_stackstrings
    CAPEv2 YARA detection rulesmalware
    Cobalt Strike Beacon Payload
    Elastic Security YARA Rulesmalware
    Windows.Trojan.CobaltStrike
    Elastic Security YARA Rulesmalware
    Windows.Trojan.CobaltStrike
    Elastic Security YARA Rulesmalware
    Windows.Trojan.CobaltStrike
    Elastic Security YARA Rulesmalware
    Windows.Trojan.CobaltStrike
    Elastic Security YARA Rulesmalware
    Windows.Trojan.CobaltStrike
    Google GCTI YARA rulesmalware
    Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
    Malpedia's yara-signator rulesmalware
    Detects win.cobalt_strike.
    VirusTotalmalicious
    VirusTotal - Scan result 49/71

JavaScript (0)

HTTP Transactions (1)

URLIPResponseSize
43.132.210.16:8090/member/checkpwd.bin
43.132.210.16200 307 kB