Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
|
|
AV Detection |
---|
Source: |
Avira: |
Source: |
Malware Configuration Extractor: |
||
Source: |
Malware Configuration Extractor: |
Source: |
ReversingLabs: |
Source: |
Integrated Neural Analysis Model: |
Source: |
Joe Sandbox ML: |
Source: |
Static PE information: |
Source: |
Code function: |
0_2_0069D240 | |
Source: |
Code function: |
0_2_006A6B60 |
Networking |
---|
Source: |
URLs: |
||
Source: |
URLs: |
Source: |
Network traffic detected: |
Source: |
TCP traffic: |
Source: |
ASN Name: |
Source: |
DNS traffic detected: |
Source: |
HTTP traffic detected: |
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
UDP traffic detected without corresponding DNS query: |
Source: |
HTTP traffic detected: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Binary or memory string: |
System Summary |
---|
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Code function: |
0_2_006C8060 | |
Source: |
Code function: |
0_2_00685040 | |
Source: |
Code function: |
0_2_0069D440 | |
Source: |
Code function: |
0_2_0068B020 | |
Source: |
Code function: |
0_2_006A7000 | |
Source: |
Code function: |
0_2_006B70E0 | |
Source: |
Code function: |
0_2_006854A0 | |
Source: |
Code function: |
0_2_0069A9A0 | |
Source: |
Code function: |
0_2_00688D80 | |
Source: |
Code function: |
0_2_00694260 | |
Source: |
Code function: |
0_2_0069EA60 | |
Source: |
Code function: |
0_2_0068BA40 | |
Source: |
Code function: |
0_2_0068C640 | |
Source: |
Code function: |
0_2_006A42E0 | |
Source: |
Code function: |
0_2_00684AC7 | |
Source: |
Code function: |
0_2_0069E2A0 | |
Source: |
Code function: |
0_2_006A6B60 | |
Source: |
Code function: |
0_2_00693705 |
Source: |
Static PE information: |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Source: |
Classification label: |
Source: |
Mutant created: |
Source: |
File opened: |
Jump to behavior |
Source: |
Static PE information: |
Source: |
Key opened: |
Jump to behavior |
Source: |
ReversingLabs: |
Source: |
Process created: |
||
Source: |
Process created: |
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Static file information: |
Source: |
Static PE information: |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Source: |
Code function: |
0_2_0000029C510F0364 | |
Source: |
Code function: |
0_2_0000029C510F0364 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: |
Network traffic detected: |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Source: |
Code function: |
0_2_006DB920 |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Anti Debugging |
---|
Source: |
Code function: |
0_2_006DB920 |
Source: |
Code function: |
0_2_006DB920 |
Remote Access Functionality |
---|
Source: |
File source: |
||
Source: |
File source: |
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
106.14.141.209 | unknown | China | 37963 | CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | true |
Name | IP | Active |
---|---|---|
18.31.95.13.in-addr.arpa | unknown | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
|
unknown | |
true |
|
unknown |