Cobalt Strike

38
Global rank
18
Month rank
21
Week rank
20191
IOCs

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
3 June, 2023
Last seen

How to analyze Cobalt Strike with ANY.RUN

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
3 June, 2023
Last seen

IOCs

IP addresses
13.107.246.44
13.107.246.45
152.199.21.175
13.107.253.45
151.101.2.49
192.168.100.121
192.168.100.116
192.168.100.138
1.1.1.1
192.168.100.44
34.101.154.50
2.23.209.189
192.168.100.69
192.168.100.167
13.107.253.60
151.101.1.194
18.136.148.247
143.204.215.92
208.94.116.21
143.204.215.86
Hashes
c9f7a195bd4281bff7f735f8e33e9de76c6867679e0e6a5d978f43bf330512ed
36e6c89f62ea47f3f31d85fd27f9e07b1785d378e25a600a03b98ce7ce7560c2
6545de8aaa1428dd634c31d5205360a32f0dbc3c81bf1322ee0441f97052b4fa
885622a7f8431e6de1692b3f33a3c5c07512e01eb3f7d6a5e08ecc76a6947cf9
1e803662be7630462e1f4800d7b68994c1b91184b2d903b8983d2bddb8aa7102
de9276fe0d69980d3ab80be2883bef46bd5979234ada3b221c4f415103b6cc71
dae9e2088f4cbc5ca484aadf7d47b96ea0b4667cb909921cb7b531fd61d35554
1333b107fa6544e5975726f20d79ef646282fc11e3d24c6987fa29bc7976c571
ff45f28eb4932b70d319299c559e4acd70c1166c019dc477f2fe3749fa299ac0
37a042c1055f13e3b2b901d79a982adc1b771b9c8371a91e2b210d24931e75f8
2dddb66cd79654ac9c2ba9b658b0e0665ab62e8eb08dcc89ed4bdc614d4775e9
c87ca8e27e058e4cdbb5d5de6bf2c3be01791f2cc3ec1b4452d867bf2f73cd17
d764ee64bc0d769c20c4823f0981ba1bf17e46c38812cd5036f0e2cfadb23b61
f0c90017a01606a74d146b36bc0bf61f29118ab0996c909defc189dc8dc77ffb
f408d79dcfcd22dffa9556281051117f871b4c3935a1600e12634a7f078cfc0d
57c01087b31f6ee1ce41c32ab914d67f690132535e63e3ca832e69aa6b72971b
cb4dd330599bb706642f8060c9b17a3e9d37219ec770f1eed0ca606c0340c4c4
66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
61a3aa188bd4e71bd115c30874cc712a52f6d9d72f2ca0a963106c7229608381
Domains
www.clarity.ms
vcctggqm3t.dattolocal.net
dnsresolvconf.site
stateless.patterncenter.com
samples.vx-underground.org
papers.vx-underground.org
promotionapi-v5.discountninja.io
www.beyondintranet.com
scookie.notrespone.com
jumpstart.store
cdn-v4.discountninja.io
jetclicktrks.com
s.vidstream.to
bbrcreative.com
psappdeploytoolkit.com
cdn.dtxcloud.com
engagement.ccleanerbrowser.com
static.wnd.com
controlc.com
cl0udh0st1ng.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Cobalt Strike malware

Cobalt Strike is a licensed penetration software package developed by Forta (previously Help Systems), that helps red teams simulate an adversary in red-vs-blue games.

While the software itself is completely legal and designed for cybersecurity testing, over the years, many versions of it have been cracked and leaked into the wild. Despite several attempts to stop its abuse — by the developer and the online community — attackers continue to employ it to install multiple payloads after compromising their victims' networks.

Most of these cracked versions were obtained by accessing a trial — which is only given to verified parties, but evidently, hackers found a way to skirt this — and bypass the license check and then trial restrictions. (The trial version of Cobalt Strike has many deliberate giveaways such as the EICAR string embedded in all payloads and a watermark.)

Being a legitimate tool, there is a ton of educational material online, which illustrates what Cobalt Strike can do. Like this official playlist on YouTube. This, of course, lowers the entry threshold and contributes to the popularity of the software among bad actors. One can literally learn how to abuse it directly from its creators.

Cracked Cobalt Strike versions are circulating freely in various underground forums and are sometimes found on clearnet resources, like GitHub. Although most of them are somewhat outdated, they still pose a serious threat — many criminal groups use them to gain initial access and move laterally through victim’s networks.

Cobalt Strike malware analysis review

Cobalt Strike consists of multiple components, which together form a comprehensive hacking suit. The central element of the software is the Team Server component — which acts as both the C2 server and a coordinating program that helps multiple adversaries work together and control hijacked devices. To access it, actors use a Client component which serves as the GUI for the Team Server.

Team Server can generate shellcode implants called Stagers. These fileless implants are available as VBA, Javascript and Powershell macro templates. When an attacker infiltrates and injects one of the Stagers into the victim's network, they can contact the Team Server via HTTP/HTTPS, SMB, or DNS to fetch and install the main payload known as the Beacon.

The Beacon is the core binary which allows the attacker to control infected machines remotely. It supports a wide list of malicious operations, and is designed to be configurable and expandable. This feature is often used to deliver and run custom modules, and makes Cobalt Strike's malicious capabilities virtually limitless. What’s more, there are built-in modules that allow attackers to customize the payload to avoid detection: these include the Artifact Kit, Malleable C2 Profiles, and Resource Kit.

Also, it’s important to note that since Cobalt Strike was originally designed for team exercises, the Team Server and Client modules allow criminal gangs to coordinate hacks with multiple attackers acting simultaneously, potentially targeting multiple weak spots.

The payloads usually delivered by Cobalt Strike range from Ransomware to spyware and even Advanced Persistent Threats.

How to get more information from Cobalt Strike malware

ANY.RUN helps analysts track the execution process of Cobalt Strike in an interactive online sandbox.

ANY.RUN users can access the analysis results 10 seconds after launching the sandbox, which saves crucial time, especially during incident response when every second matters.

Cobalt Strike malware configuration

Figure 1: Cobalt Strike malware configuration

Cobalt Strike execution process

The execution of CobaltStike varies greatly from sample to sample. Not only are there lots of iterations of the client, but the program itself is frequently updated by the developers. Besides the common type that uses an executable file, there are also versions that use powershell or JS to dominate the infected system.

In ANY.RUN, users can study the config of CobaltStrike’s utility to better understand how it works.

Distribution of Cobalt Strike

Unfortunately, the distribution of Cobalt Strike is poorly documented, but it’s believed to be delivered using macros that come with an infected executable embedded in a phishing email. There are few reports of this particular malware, so the conclusion was drawn based on the little information available, and the fact that it is by far the most common attack vector.

Conclusion

Cobalt Strike has gained an excellent reputation among cybercriminals who continue to use it as their Command and Control system of choice to deliver and execute a wide variety of payloads. This is a perfect example of what a legitimate piece of kit can do in the wrong hands. That said, its abuse is a fairly well-researched topic in the community, and there are guides like this one and this one that can help you defend against attacks using this software.

We hope that as the good research continues, and organizations arm themselves against cracked copies of Cobalt Strike, the abuse of this powerful cybersecurity tool will eventually stop.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy