Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
|
|
AV Detection |
|
---|
Source: |
Malware Configuration Extractor: |
Source: |
Virustotal: |
Perma Link |
Source: |
Code function: |
0_2_000001E357C91184 |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Code function: |
0_2_000001E357CA1980 | |
Source: |
Code function: |
0_2_000001E357CA7770 |
Networking |
|
---|
Source: |
URLs: |
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
Code function: |
0_2_000001E357CA4D60 |
System Summary |
|
---|
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Code function: |
0_3_000001E357C5D44C | |
Source: |
Code function: |
0_3_000001E357C601A4 | |
Source: |
Code function: |
0_3_000001E357C5F078 | |
Source: |
Code function: |
0_3_000001E357C5F73C | |
Source: |
Code function: |
0_3_000001E357C4C5A0 | |
Source: |
Code function: |
0_2_000001E357CB0D74 | |
Source: |
Code function: |
0_2_000001E357CB94A0 | |
Source: |
Code function: |
0_2_000001E357CA0C98 | |
Source: |
Code function: |
0_2_000001E357CAFC48 | |
Source: |
Code function: |
0_2_000001E357C99C20 | |
Source: |
Code function: |
0_2_000001E357CA6C14 | |
Source: |
Code function: |
0_2_000001E357CB030C | |
Source: |
Code function: |
0_2_000001E357CB4304 | |
Source: |
Code function: |
0_2_000001E357CBB9F0 | |
Source: |
Code function: |
0_2_000001E357CBA1B0 | |
Source: |
Code function: |
0_2_000001E357C9D170 | |
Source: |
Code function: |
0_2_000001E357C9A134 | |
Source: |
Code function: |
0_2_000001E357CBB080 | |
Source: |
Code function: |
0_2_000001E357CAE01C | |
Source: |
Code function: |
0_2_000001E357CBD000 | |
Source: |
Code function: |
0_2_000001E357CAEDE4 | |
Source: |
Code function: |
0_2_000001E357CBAD97 | |
Source: |
Code function: |
0_2_00007FF6D63B3E20 | |
Source: |
Code function: |
0_2_00007FF6D63D1874 | |
Source: |
Code function: |
0_2_00007FF6D63AB570 | |
Source: |
Code function: |
0_2_00007FF6D63D0E24 | |
Source: |
Code function: |
0_2_00007FF6D63CE66C | |
Source: |
Code function: |
0_2_00007FF6D63AC720 | |
Source: |
Code function: |
0_2_00007FF6D63C5350 | |
Source: |
Code function: |
0_2_00007FF6D63CDC84 | |
Source: |
Code function: |
0_2_00007FF6D63CB454 | |
Source: |
Code function: |
0_2_00007FF6D63C6154 | |
Source: |
Code function: |
0_2_00007FF6D63CEA1C | |
Source: |
Code function: |
0_2_00007FF6D63CAA90 | |
Source: |
Code function: |
0_2_00007FF6D63AD2E0 |
Source: |
Code function: |
0_2_000001E357CA0C98 |
Source: |
Code function: |
0_2_00007FF6D63A1000 |
Source: |
Virustotal: |
Source: |
Static PE information: |
Source: |
Key opened: |
Jump to behavior |
Source: |
Code function: |
0_2_000001E357CA0B54 |
Source: |
Classification label: |
Source: |
Code function: |
0_2_00007FF6D63AFEA0 |
Source: |
Code function: |
0_2_000001E357CA6C14 |
Source: |
Code function: |
0_2_00007FF6D63C2740 |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Source: |
Code function: |
0_3_000001E357C58C81 | |
Source: |
Code function: |
0_3_000001E357C68A90 | |
Source: |
Code function: |
0_3_000001E357C68AB9 | |
Source: |
Code function: |
0_3_000001E357C68A70 | |
Source: |
Code function: |
0_3_000001E357C49A03 | |
Source: |
Code function: |
0_3_000001E357C4B03D | |
Source: |
Code function: |
0_3_000001E357C49642 |
Source: |
Code function: |
0_2_000001E357CB7534 |
Source: |
Code function: |
0_2_000001E357CAE01C |
Malware Analysis System Evasion |
|
---|
Source: |
Code function: |
0_2_000001E357CA4A00 | |
Source: |
Code function: |
0_2_000001E357C9FE84 |
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior |
Source: |
Evasive API call chain: |
||
Source: |
Evasive API call chain: |
Source: |
API coverage: |
Source: |
Code function: |
0_2_000001E357C9FE84 |
Source: |
Code function: |
0_2_000001E357CA1980 | |
Source: |
Code function: |
0_2_000001E357CA7770 |
Source: |
API call chain: |
||
Source: |
API call chain: |
Source: |
Binary or memory string: |
Source: |
Code function: |
0_2_000001E357CB7534 |
Source: |
Code function: |
0_2_000001E357CB7534 |
Source: |
Code function: |
0_2_000001E357CB7534 |
Source: |
Code function: |
0_2_000001E357CAFB6C |
Source: |
Code function: |
0_2_000001E357CB22B4 | |
Source: |
Code function: |
0_2_00007FF6D63C5FC0 | |
Source: |
Code function: |
0_2_00007FF6D63C7434 |
Source: |
Code function: |
0_2_000001E357CABE24 |
Source: |
Code function: |
0_2_000001E357CABD9C |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Code function: |
0_2_000001E357CA0904 |
Source: |
Code function: |
0_2_000001E357CBCADC |
Source: |
Code function: |
0_2_000001E357CA4FD0 |
Source: |
Code function: |
0_2_000001E357CA4FD0 |
Remote Access Functionality |
|
---|
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Source: |
Code function: |
0_2_000001E357CACD44 | |
Source: |
Code function: |
0_2_000001E357CA5B54 | |
Source: |
Code function: |
0_2_000001E357CA574C |
Name | IP | Active |
---|---|---|
ridoj4.645b0efa.dns.investmentrealtyhp.net | 140.82.26.90 | true |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
|
unknown |