cobaltstrike

General

Target

a350cd18e1b18c350088512a4baeaeb0ce8ae7e2bfae80636c61c5ba17103b04.zip
Size

1.2MB
Sample

240905-kcchjawenq
MD5

f47b251ce5157bea0a5eafc7c03e6796
SHA1

3f7dfbbbb5b8c493dd75ea861a8887df4381c8da
SHA256

9a90556d225677efefbdbcca5def7de8ab0fa06b7573deca6e5f3e14510b9fb7
SHA512

1f14fb121890fb6cbe74ea554fe305419faeea9d22f68038b128d87cb36d9a984be3c10d4e166c74efc9f95fc2c346f14c6b5f9bb1d96b3c45b8c3dfd8cc985b
SSDEEP

24576:ZJ4CW2bgSxtQt1i320UOa6GMYrhWRewqY/lEdHKDf1Fs3HdUUplqf:8CW2bgSxtQt13mYrhEy6qF2i3Of

Score

10^/10

Malware Config

Targets

- Target
  
  do-it-again-1.6-installer_v-hiQS1.exe
- Size
  
  1.7MB
- MD5
  
  41ae06d18ed5af6e6a0a4568b6bb7cc4
- SHA1
  
  b5d5e7e8a951e96e88215ca140c04b892e2d53de
- SHA256
  
  a350cd18e1b18c350088512a4baeaeb0ce8ae7e2bfae80636c61c5ba17103b04
- SHA512
  
  81228bac5babd3c602804bea5e1c1f9c4d97ddb7896aec6bcea14ef8cd34b83c5ddcc63a6c3a257698910663e2dfd85355a461ea5d02ceefaa2e25cead16c166
- SSDEEP
  
  24576:Y7FUDowAyrTVE3U5Fmi05np8tydyPaJPfrT90eKc4cgFLNPfs8duMpmsDGB:YBuZrEUOp8odywPH9RHgFLRdp/M
Score

10^/10

bootkit defense_evasion discovery persistence spyware stealer cobaltstrike backdoor evasion privilege_escalation trojan
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies powershell logging option
  evasion
- System Binary Proxy Execution: Verclsid
  Adversaries may abuse Verclsid to proxy execution of malicious code.
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2