cobaltstrike | a185092d5e7b034583ad09ad4e0487d1c1b98be6bd62675435b05cf319e1e91e | Triage

Submit
Reports

Overview

overview

Static

static

1

PowerISO8-x64.exe

windows7-x64

8

PowerISO8-x64.exe

windows10-2004-x64

Sharing

General

Target

PowerISO8-x64.exe
Size

4.5MB
Sample

230731-sy2csaaa9v
MD5

95bf82bd5494bc133551400bebce98ff
SHA1

1b67264fd20689dfbe709ec9c38c39ef2a4592ab
SHA256

a185092d5e7b034583ad09ad4e0487d1c1b98be6bd62675435b05cf319e1e91e
SHA512

43344e37553f9a7aceb007b92589e70224298c82541399323b3b1c09bd33f1039fa703bbc1c05ad5e0b227274f7ec7abc826e875759ffb37322b2dcfc8448c77
SSDEEP

98304:M4U3zP091M3II17zlcXHqNxKPSepsYk5qGHsEBkSFBsb2Pw6Ie:M4gMM3IxXmsfk5qSsEVsSPw6X

Score

10^/10

cobaltstrike backdoor coreentity persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PowerISO8-x64.exe

Resource

win7-20230712-en

windows7-x64

7 signatures

300 seconds

Behavioral task

behavioral2

Sample

PowerISO8-x64.exe

Resource

win10v2004-20230703-en

cobaltstrike backdoor coreentity persistence spyware stealer trojan

windows10-2004-x64

23 signatures

300 seconds

Malware Config

Targets

- Target
  
  PowerISO8-x64.exe
- Size
  
  4.5MB
- MD5
  
  95bf82bd5494bc133551400bebce98ff
- SHA1
  
  1b67264fd20689dfbe709ec9c38c39ef2a4592ab
- SHA256
  
  a185092d5e7b034583ad09ad4e0487d1c1b98be6bd62675435b05cf319e1e91e
- SHA512
  
  43344e37553f9a7aceb007b92589e70224298c82541399323b3b1c09bd33f1039fa703bbc1c05ad5e0b227274f7ec7abc826e875759ffb37322b2dcfc8448c77
- SSDEEP
  
  98304:M4U3zP091M3II17zlcXHqNxKPSepsYk5qGHsEBkSFBsb2Pw6Ie:M4gMM3IxXmsfk5qSsEVsSPw6X
Score

10^/10

cobaltstrike backdoor coreentity persistence spyware stealer trojan
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

cobaltstrikebackdoorcoreentitypersistencespywarestealertrojan

© 2018-2024

Terms | Privacy