Windows
Analysis Report
to.exe
Overview
General Information
Detection
CobaltStrike
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
to.exe (PID: 6576 cmdline:
"C:\Users\ user\Deskt op\to.exe" MD5: 6DC33BA531FCE8C8EE24585F48D14297) conhost.exe (PID: 6604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTP"], "Port": 4545, "SleepTime": 55000, "MaxGetSize": 2098751, "Jitter": 40, "C2Server": "138.68.79.95,/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6", "HttpPostUri": "/messages/IgTsSe2N7hV72H5tmL7bVrTR", "Malleable_C2_Instructions": ["Remove 1190 bytes from the end", "Remove 12 bytes from the end", "Remove 397 bytes from the beginning", "NetBIOS decode 'a'"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\bootcfg.exe", "Spawnto_x64": "%windir%\\sysnative\\bootcfg.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 11629, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["CreateThread", "CreateRemoteThread", "NtQueueApcThread", "RtlCreateUserThread", "ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Windows_Trojan_CobaltStrike_663fc95d | Identifies CobaltStrike via unidentified function code | unknown |
| |
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Windows_Trojan_CobaltStrike_b54b94ac | Rule for beacon sleep obfuscation routine | unknown |
| |
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Click to see the 2 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Long String: |
Source: | Code function: | 0_2_0223C280 | |
Source: | Code function: | 0_2_02226B38 | |
Source: | Code function: | 0_2_0223CBF0 | |
Source: | Code function: | 0_2_0222F1A8 | |
Source: | Code function: | 0_2_02230E64 | |
Source: | Code function: | 0_2_02231F9C | |
Source: | Code function: | 0_2_02231528 | |
Source: | Code function: | 0_2_02270000 |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: |