Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 47.120.39.182 |
Source: WCcNzb83Y3.exe, 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://127.0.0.1:%u/ |
Source: WCcNzb83Y3.exe, 00000000.00000003.2113339804.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/( |
Source: WCcNzb83Y3.exe, 00000000.00000003.2113339804.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/S |
Source: WCcNzb83Y3.exe, 00000000.00000002.3932845354.000000000057E000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000565000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000565000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2691084818.000000000057E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: WCcNzb83Y3.exe, 00000000.00000003.2777326280.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2777187521.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2691084818.000000000057E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2 |
Source: WCcNzb83Y3.exe, 00000000.00000003.2113339804.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ff3af2acb9340 |
Source: WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000565000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000565000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabL |
Source: WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000544000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000544000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en1 |
Source: WCcNzb83Y3.exe, 00000000.00000003.2113339804.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/t |
Source: WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000565000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000565000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182/ |
Source: WCcNzb83Y3.exe, 00000000.00000002.3932845354.00000000004FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182/# |
Source: WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000544000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000544000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.00000000004FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182:63306/Gs3p |
Source: WCcNzb83Y3.exe, 00000000.00000003.2691186059.0000000000544000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3932845354.0000000000544000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182:63306/Gs3p% |
Source: WCcNzb83Y3.exe, 00000000.00000002.3932845354.00000000004FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182:63306/Gs3pM |
Source: WCcNzb83Y3.exe, 00000000.00000002.3932845354.000000000057E000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3933344802.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2690497093.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2777168019.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000003.2690620417.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, WCcNzb83Y3.exe, 00000000.00000002.3933344802.0000000002B01000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://47.120.39.182:63306/cx |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Cobalt Strike loader Author: @VK_Intel |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike payload Author: ditekSHen |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Cobalt Strike loader Author: @VK_Intel |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike payload Author: ditekSHen |
Source: 00000000.00000002.3932728110.000000000014A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.3932728110.000000000014A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.3933717673.0000000002BF0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon sleep obfuscation routine Author: unknown |
Source: 00000000.00000002.3932770819.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.3932770819.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Cobalt Strike loader Author: @VK_Intel |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike payload Author: ditekSHen |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon sleep obfuscation routine Author: unknown |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Trojan_Raw_Generic_4 Author: unknown |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753 |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.WCcNzb83Y3.exe.2b90000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload |
Source: 00000000.00000002.3932728110.000000000014A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.3932728110.000000000014A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.3933717673.0000000002BF0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000000.00000002.3932770819.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.3932770819.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753 |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.3933486788.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.3933968079.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL |
Source: Process Memory Space: WCcNzb83Y3.exe PID: 5896, type: MEMORYSTR |
Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WCcNzb83Y3.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |