Table of contents
NOBELIUM is another name for the APT29 intrusion set¹, operated by a threat actor allegedly linked to the SVR (the Foreign Intelligence Service of the Russian Federation)². NOBELIUM has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers.
Despite the low sophistication level of its phishing campaigns targeting Windows, NOBELIUM is well known for its agility once inside the victim’s network. Its operators are careful, patient and masterize cutting edge intrusion techniques against the latest Microsoft technologies and services such as AzureAD. For example, NOBELIUM used a home made passive implant dubbed FoggyWeb to exfiltrate authentication tokens from ADFS servers in a stealthy way³.
NOBELIUM made the headlines a little over a year ago, following the discovery of a sophisticated supply chain attack against the Solarwinds software, compromising thousands with a validator dubbed “SunBurst”⁴. Beyond its impact and its sophistication, the attack – as disclosed by Kaspersky – had an interesting overlap with a backdoor used by TURLA⁴, an intrusion set that has been active for years and known to be allegedly linked to the Russian FSB. Joint operation between two Russian threat actors or NOBELIUM had access to the same code base? The question remains unanswered today but it is not the first time that overlaps between these two intrusion sets emerge⁵.
Throughout 2021 and following the SolarWinds attack, NOBELIUM engaged in spear phishing campaigns by using mails and social media messaging. These campaigns didn’t use any exploit to compromise Windows endpoints. They simply relied on malicious HTML attachments – called EnvyScout by Microsoft⁶– with a pinch of social engineering. By opening the attachment, the HTML file extracts from itself an ISO file by using a technique dubbed HTML Smuggling. The ISO is then downloaded by the victim and automatically mounted on the victim’s workstation, leading at the end of the exploitation chain to execution of a CobaltStrike beacon.
New EnvyScout infection chain analysis.
On October 21st, 2021, a new EnvyScout HTML file related to the NOBELIUM intrusion set (3d18bc4bfe1ec7b6b73a3fb39d490b64) matched one of our YARA rule on VirusTotal with a detection ratio of 1 on 56.
The rule was done on the possible obfuscated variants of a JavaScript loop used in the EnvyScout initial file disclosed by Microsoft (32e0940e1715392280d4bdb514d9cf11)⁶.
Table 1. Comparison of the two loops
It is worth noting that’s not the only resemblance between the two files, both also have the same headers, with the same MOTW comment⁷, such as:
Extract 1. Headers in 32e0940e’ and 3d18bc4b’ files
As seen during other phishing campaigns reported in open-source, this file uses the “HTML Smuggling” technique to extract a malicious ISO file. By looking at its content, this file seems to have targeted at least one Iranian embassy, as shown below:
Figure 1. Message shown to the user by the HTML file 3d18bc4bfe1ec7b6b73a3fb39d490b64.
Following this first discovery, another similar HTML file came out in early December (b87073c34a910f20a83c04c8efbd4f43) but this time with no text except the title “Covid information”. The content may have been deleted by the submitters in order to prevent victim identification. However, the next infection chain stage revealed that it targeted at least one Turkey Embassy. It is worth noting that these EnvyScout files don’t contain any SMB trap, web bug, telemetry script or redirection to some 0day exploit targeting iOS as previously seen by Google TAG⁸.
If we take a look at the ISO files metadata, the ISO volume name is the HTA file title and there are some interesting timestamps such as the “Root Directory Create Date” or the “Volume Create Date”. In the first sample, 3d18bc4bfe1ec7b6b73a3fb39d490b64, the timestamps values are 2021:10:20 11:27:18-07:00 (UTC time). Whereas in the second sample, which was uploaded a bit later on VirusTotal, the timestamps values are 2021:11:12 09:28:40-08:00 (UTC time).
These dates indicate the last time that the volume was mounted. This is quite interesting as the ISO files were actually simply extracted and decoded from the HTML files. It seems therefore likely that NOBELIUM built the payloads (or tested its whole attack chain) at these dates. If that is indeed the case, it would mean that the first sample 3d18bc4bfe1ec7b6b73a3fb39d490b64 was created a day before it was uploaded to VirusTotal.
Unlike the previously described NOBELIUM spear-phishing attacks disclosed by Microsoft, the downloaded ISO files no longer contained a malicious DLL and a shortcut aimed to launch that DLL. In both cases, the ISO simply embeds a malicious HTML Application (HTA) file, executing the rest of the exploitation chain. For the HTA file corresponding to the first HTML file (3d18bc4bfe1ec7b6b73a3fb39d490b64), the HTA file contains the same message as the HTML file. For the second HTML file (b87073c34a910f20a83c04c8efbd4f43), the HTA file contains a message similar to the first file but this time mentions an “Embassy of the Republic of Turkey”:
Figure 2. The HTA b84c00ae9e7f9684b36d75a1a09f8210 message.
Note the slight typos they made in this message at “transfered” (just like in the first HTML file) and “thes”.
In both cases, the HTA file contains hidden HTML elements embedding the content of two different registry values. The first registry value carries a shellcode loader written in PowerShell dedicated to decode and load a shellcode, contained in the second registry value. Once the values are saved in the registry, the HTA launches a Powershell command line which will load and execute the content of the first registry key, as shown below:
Extract 2. Extract of the HTA b84c00ae9e7f9684b36d75a1a09f8210.
It is worth noting that prior to loading the shellcode, the registry keys containing the malicious payloads are deleted, a nice try to prevent forensic analysis. Furthermore, the registry key names differ in the two samples (Javasoft and MSOffice). In the two cases, the shellcode loads and executes in memory a DLL embedded in it. Both DLLs contain dozens of dead exports, are heavily obfuscated in the same manner with a lot of junk code and fake calls to the Windows API. They are used to decrypt and load an encrypted CS beacon splitted in seven different parts inside the DLL. To resume, they seem to act as the loader dubbed NativeZone (variant 1) as described by Microsoft in their blogpost⁶. To summarize, you can see below the full infection chain used in these recent spear phishing attacks:
Figure 3. Infection chain of 3d18bc4bfe1ec7b6b73a3fb39d490b64.
Both CobaltStrike configurations were extracted easily and can be found in the Appendix. It is interesting to note that the public keys and the user-agent are the same. Furthermore, the user-agent should not be used often in real corporate environments as it is associated with Windows 8 and you could therefore look for that on your networks for hunting purposes.
Two different C2s have been extracted, midcitylanews[.]com for the sample targeting Iran and dom-news[.]com for the sample targeting Turkey.
Infrastructure analysis
The domains midcitylanews[.]com and dom-news[.]com retrieved from the CobaltStrike beacons have been registered more than a year prior to their use by the threat actor which could indicate that NOBELIUM tried to prevent malicious domains detection based on their creation date.
These domains resolved VPS IP addresses having their 80 and 443 ports open. They seem to have been configured by using an Nginx forwarder configuration for CobaltStrike C2 dubbed “cs2nginx” and available for anyone on Github⁹.
However, even if the domains were registered a year ago, the associated C2 servers were set up around the end of september, 2021. Therefore, this time delta, the use of cs2nginx and the pattern of the typosquatting domains (e.g. the use on “news” keyword for many of them) can lead to some infrastructure illumination. Here is the infrastructure which can be grabbed by using this heuristic.
Table 3. Infrastructure discovered possibly linked to NOBELIUM
It is interesting to note that like the infrastructure disclosed by the CERT-FR in December, 2021¹⁰, this cluster is distributed between several autonomous systems, which seems also to be one characteristic of NOBELIUM.
During this investigation, we found other C2s servers using the same technique and potentially linked to other threat actors or red teams. We decided to publish this list in the appendix for threat hunting purposes in your network.
Conclusion
The infection chain and the indicators shown above suggest that NOBELIUM is associated with this attack campaign. After having burned EnvyScout against occidental targets, NOBELIUM seems to reuse this infection chain against other countries. However, due to the low complexity of the infection chain and the previous blog posts covering EnvyScout, it could be, although we write this with very low confidence, just another threat actor copycatting NOBELIUM.
External references
¹ Alert (AA21-148A) Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs, CISA, May 28, 2021
² Further TTPs associated with SVR cyber actors, NCSC, May 7, 2021
³ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor, Microsoft, September 27, 2021
⁴ SUNBURST Additional Technical Details, Mandian, December 24, 2020
⁵ Sunburst backdoor – code overlaps with Kazuar, Kaspersky, January 11, 2021
⁶ Breaking down NOBELIUM’s latest early-stage toolset, Microsoft, May 28, 2021
⁷ Mark of the Web, Microsoft, May 11, 2015
⁸ How we protect users from 0-day attacks, Google TAG, July 12, 2021
⁹ Cs2modrewrite’s source code on Github
¹⁰ Phishing campaigns by the Nobelium intrusion set, CERT-FR, December 6, 2021
Tactics, Techniques and Procedures (TTPs)
T1583.001 – Acquire Infrastructure: Domains
T1583.003 – Acquire Infrastructure: Virtual Private Server
T1566.001 – Phishing: Spearphishing Attachment
T1566.003 – Phishing: Spearphishing via Service
T1059.001 – Command and Scripting Interpreter: PowerShell
T1204.002 – User Execution: Malicious File
T1027.006 – Obfuscated Files or Information: HTML Smuggling
T1071.001 – Application Layer Protocol: Web Protocols
Related IOCs
The IOCs are provided “as is”. All the IOCs can be downloaded in JSON STIX2.1 and CSV formats on the SEKOIA.IO Github: https://www.github.com/SEKOIA-IO/Community/tree/main/IOCs
Domains
crochetnews[.]com
dom-news[.]com
readnewshot[.]com
pharaosjournal[.]com
bfilmnews[.]com
theanalyticsnews[.]com
galatinonews[.]com
midcitylanews[.]com
muslimnewsdaily[.]comIP Addresses
31.42.177[.]78
158.255.211[.]40
45.14.70[.]186
46.102.152[.]118
139.99.178[.]56
95.183.51[.]161
195.144.21[.]159
103.232.53[.]230
194.62.42[.]109Other domains suspected to use cs2nginx
These domains are suspected to use cs2nginx. We haven’t been able to link them to NOBELIUM and they could be related to other threats. They are provided “as is”, only for hunting purposes in your own network.
updates.uk[.]com
onlinebusinessadviceuk[.]com
assets.completehealthcareuk[.]net
d2rwiki[.]net
taiwancht[.]com
herosofthestorms[.]com
note.legendsec[.]net
faststartbusiness[.]com
msdnsvc[.]com
assets.bettendorfhealthcare[.]com
eblogpro[.]com
getdsoft[.]com
themobilecard[.]com
c***solutions[.]support
v*****managernent[.]com
e*****x[.]me
img.microsoftupdate.cc
windows.msgetupdate.com
fwd.splunk.eu.com
file.updateswindows.comFiles MD5 hashes
054940ba8908b9e11f57ee081d1140cb
b84c00ae9e7f9684b36d75a1a09f8210
3d18bc4bfe1ec7b6b73a3fb39d490b64
b87073c34a910f20a83c04c8efbd4f43
d4fdf63d88da2d59569bb621b18bf5e4
41dd8cee47c036e7e9e92c395c5d1feb
b7ca8c46dc1bfc1d9cb9ce04a4928153
cc08a6df151b8879a4969b2e99086b48
4365057ef0c5a9518d95d53eab5995a8Yara rules
rule apt_nobelium_powsershell_reg_loader_decoded {
meta:
id = “c8ee9c40-fa28-4b9a-98e8-88ccc4a16091“
description = “Matches the decoded version of the Powershell loader stored in the registry“
version = “1.0“
creation_date = “2021-12-07“
modification_date = “2021-12-07“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$x = “FromBase64String((gp HKCU:\\\\SOFTWARE\\\\“
$y = “Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\“
$z = “Invoke([IntPtr]::Zero)“
condition:
filesize < 3KB and
$x and #y == 2 and
$z at (filesize-22)
}
rule apt_nobelium_hta_reg_dropper {
meta:
id = “9f6a2154-c33a-4c38-9667-7479bf49c310“
description = “Matches HTA dropper file used by NOBELIUM and ISO files containing it“
hash = “054940ba8908b9e11f57ee081d1140cb“
hash = “b7ca8c46dc1bfc1d9cb9ce04a4928153“
version = “1.0“
creation_date = “2021-12-07”
modification_date = “2021-12-07“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$w = “RegWrite(“ nocase
$x = { 2b 3d 20 64 6f 63 75 6d
65 6e 74 2e 67 65 74 45
6c 65 6d 65 6e 74 42 79
49 64 28 22 [0-4] 22 29
2e 69 6e 6e 65 72 48 54
4d 4c }
$y = “<body onload=“ nocase
$z = “hidden“ nocase
condition:
$y and
(3 < #z) and
(3 < #x) and
(1 < #w)
}
rule apt_nobelium_hta_in_iso {
meta:
id = “874ab41b-5c60-4303-8776-e1c10313a401“
description = “Matches ISO file embedding HTA“
hash = “d4fdf63d88da2d59569bb621b18bf5e4“
hash = “cc08a6df151b8879a4969b2e99086b48“
version = “1.0“
creation_date = “2021-12-02”
modification_date = “2021-12-02“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$ = “ImgBurn v2“
$ = “<hta:application“
condition:
all of them and
filesize > 1MB and
filesize < 3MB
}
rule apt_nobelium_html_smuggling_iso {
meta:
id = “9bd5b626-8ea3-4607-a858-58deff18396c“
version = “1.0“
description = “Detect HTML smuggling with ISO“
hash = “b87073c34a910f20a83c04c8efbd4f43”
hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
source = “SEKOIA“
creation_date = “2022-01-02”
modification_date = “2022-01-02“
classification = “TLP:WHITE“
strings:
$ = “new Blob“
$ = “.click();“
$ = { 28 [1-20] 2c 22 [1-20]
2e 69 73 6f 22 2c 22 61
70 70 6c 69 63 61 74 69
6f 6e 2f 78 2d 63 64 2d
69 6d 61 67 65 22 29 }
condition:
filesize > 1MB and filesize < 2MB and all of them
}
rule apt_nobelium_b64_to_Uint8Array {
meta:
id = “66c9b00b-f021-4115-b9ec-d1e1f491ce72“
description = “Detect Base64 decode to Uint8Array used in NOBELIUM HTML files“
hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
version = “1.0“
creation_date = “2021-12-02”
modification_date = “2021-12-02“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$a1 = “atob(“
$l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b }
$l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b }
$a2 = “new Uint8Array“
condition:
$l0 in (@a1..@a2) and
$l1 in (@a1..@a2) and
filesize > 1MB and filesize < 3MB
}
import “pe“
rule apt_nobelium_cs_loader_obfuscation {
meta:
id = “5f21b031-3dc1-4dad-b775-6099bfcb0472“
version = “1.0“
description = “Detect obfuscated CobaltStrike loaders used by NOBELIUM”
hash = “41dd8cee47c036e7e9e92c395c5d1feb“
hash = “4365057ef0c5a9518d95d53eab5995a8“
source = “SEKOIA“
creation_date = “2022-01-04“
modification_date = “2022-01-04“
classification = “TLP:WHITE“
strings:
$j1 = { DD 05 ?? ?? ?? ?? DD 9D }
$j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
$c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
condition:
pe.characteristics & pe.DLL and
pe.number_of_exports > 20 and
filesize > 300KB and filesize < 400KB and
#j1 > 50 and #j2 > 50 and #c1 == 2
}Sigma rule
id: d9114938-6877-48d8-a785-bc07cb7220ff
title: PowerShell invoking in the command line a registry value to execute.
description: Detects a d9114938 execution which grabs a value in the windows registry to execute it.
references:
– MD5 hash: b84c00ae9e7f9684b36d75a1a09f8210
– MD5 hash: 054940ba8908b9e11f57ee081d1140cb
status: experimental
author: ‘SEKOIA.IO’
date: 2022/01/03
tags:
– attack.T1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: ‘powershell’
CommandLine|contains: ‘HKCU’
selection2
CommandLine|contains:
– ‘invoke-expression’
– ‘iex’
CommandLine|contains:
– ‘gp’
– ‘Get-ItemProperty’
condition: selection and selection2
level: mediumRegistry Keys
HKCU\SOFTWARE\MSOffice\Version
HKCU\SOFTWARE\MSOffice\path
HKCU\SOFTWARE\JavaSoft\Ver
HKCU\SOFTWARE\JavaSoft\Ver2CobaltStrike configurations
Configuration of the CobaltStrike beacon launched from the Iranian decoy (from 1768.py, Didier Stevens’ tool):
Config found: xorkey b’.’ 0x00000000 0x000041f0
0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https
0x0002 port 0x0001 0x0002 443
0x0003 sleeptime 0x0002 0x0004 60000
0x0004 maxgetsize 0x0002 0x0004 1398104
0x0005 jitter 0x0001 0x0002 30
0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bbe38fb5bc87449bf0d9214cd713d8f2b81e8c5705ca8e5cd0965376322c9f5fcfdbd647ca208c02ecb130593d516837b167992a49dbd6febe34541c30bc988dcb5742e3a7a44549d7b3364fe88e914bcca01c0175668d10f4c36c94bc33e348197824611eb4a3341f10c5b02080b02bcf62fb020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri 0x0003 0x0100 ‘midcitylanews.com,/news/update/aaa’
0x000e SpawnTo 0x0003 0x0010 (NULL …)
0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’
0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’
0x001f CryptoScheme 0x0001 0x0002 0
0x001a get-verb 0x0003 0x0010 ‘GET’
0x001b post-verb 0x0003 0x0010 ‘POST’
0x001c HttpPostChunk 0x0002 0x0004 0
0x0025 license-id 0x0002 0x0004 1359593325
0x0026 bStageCleanup 0x0001 0x0002 0
0x0027 bCFGCaution 0x0001 0x0002 0
0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’
0x000a post-uri 0x0003 0x0040 ‘/form/sent/ppw’
0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’
0x000c http_get_header 0x0003 0x0200
Content-Type: text/html
Cache-Control: no-cache
v1.5472
0x000d http_post_header 0x0003 0x0200
!Content-Type: multipart/form-data
Cache-Control: no-cache
/.jpg
0x0036 HostHeader 0x0003 0x0080 (NULL …)
0x0032 UsesCookies 0x0001 0x0002 0
0x0023 proxy_type 0x0001 0x0002 2 IE settings
0x003a 0x0003 0x0080 ‘\x00\x05\x90’
0x0039 0x0003 0x0080 ‘\x00\x05p’
0x0037 0x0001 0x0002 0
0x0028 killdate 0x0002 0x0004 0
0x0029 textSectionEnd 0x0002 0x0004 0
0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE
0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ
0x002d process-inject-min_alloc 0x0002 0x0004 17500
0x002e process-inject-transform-x86 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
0x002f process-inject-transform-x64 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
0x0035 process-inject-stub 0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’
0x0033 process-inject-execute 0x0003 0x0080 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\x00Q\x00\x00\x00\rkernel32.dll\x00\x00\x00\x00\rLoadLibraryA\x00\x04’
0x0034 process-inject-allocation-method 0x0001 0x0002 1
0x0000
Guessing Cobalt Strike version: 4.1+ (max 0x003a)
Configuration of the CobaltStrike beacon launched from the Turkish decoy (from 1768.py, Didier Stevens’ tool):
Config found: xorkey b’.’ 0x00000000 0x0000bff0
0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https
0x0002 port 0x0001 0x0002 443
0x0003 sleeptime 0x0002 0x0004 60000
0x0004 maxgetsize 0x0002 0x0004 1398104
0x0005 jitter 0x0001 0x0002 30
0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bbe38fb5bc87449bf0d9214cd713d8f2b81e8c5705ca8e5cd0965376322c9f5fcfdbd647ca208c02ecb130593d516837b167992a49dbd6febe34541c30bc988dcb5742e3a7a44549d7b3364fe88e914bcca01c0175668d10f4c36c94bc33e348197824611eb4a3341f10c5b02080b02bcf62fb020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri 0x0003 0x0100 ‘dom-news.com,/info/www/robot’
0x000e SpawnTo 0x0003 0x0010 (NULL …)
0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’
0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’
0x001f CryptoScheme 0x0001 0x0002 0
0x001a get-verb 0x0003 0x0010 ‘GET’
0x001b post-verb 0x0003 0x0010 ‘POST’
0x001c HttpPostChunk 0x0002 0x0004 0
0x0025 license-id 0x0002 0x0004 1359593325
0x0026 bStageCleanup 0x0001 0x0002 0
0x0027 bCFGCaution 0x0001 0x0002 0
0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’
0x000a post-uri 0x0003 0x0040 ‘/assets/image/awd’
0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’
0x000c http_get_header 0x0003 0x0200
Content-Type: text/html
Cache-Control: no-cache
.html
Cookie
0x000d http_post_header 0x0003 0x0200
Content-Type: image/jpeg
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
/.png
0x0036 HostHeader 0x0003 0x0080 (NULL …)
0x0032 UsesCookies 0x0001 0x0002 1
0x0023 proxy_type 0x0001 0x0002 2 IE settings
0x003a 0x0003 0x0080 ‘\x00\x05\x90’
0x0039 0x0003 0x0080 ‘\x00\x05p’
0x0037 0x0001 0x0002 0
0x0028 killdate 0x0002 0x0004 0
0x0029 textSectionEnd 0x0002 0x0004 0
0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE
0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ
0x002d process-inject-min_alloc 0x0002 0x0004 17500
0x002e process-inject-transform-x86 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
0x002f process-inject-transform-x64 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
0x0035 process-inject-stub 0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’
0x0033 process-inject-execute 0x0003 0x0080 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\x00Q\x00\x00\x00\rkernel32.dll\x00\x00\x00\x00\rLoadLibraryA\x00\x04’
0x0034 process-inject-allocation-method 0x0001 0x0002 1
0x0000
Guessing Cobalt Strike version: 4.1+ (max 0x003a)Read our article on:
Chat with our team!
Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us!
