cobaltstrike

General

Target

https://cdn.discordapp.com/attachments/1124481324615487602/1124811412083068999/main.txt
Sample

230922-ytabdsca97

Score

10^/10

Malware Config

Targets

- Target
  
  https://cdn.discordapp.com/attachments/1124481324615487602/1124811412083068999/main.txt
Score

10^/10

cobaltstrike backdoor bootkit discovery evasion persistence spyware stealer trojan
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Uses Session Manager for persistence
  Creates Session Manager registry key to run executable early in system boot.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1