Example of Cobalt Strike from Emotet infection

Published: 2022-02-09
Last Updated: 2022-02-09 17:13:15 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Update, 2022-02-09 at 17:09 UTC:  I've posted traffic and malware samples from the Emotet infections I generated to get traffic and malware samples when preparing for this diary.  The files are located here.

Since early December 2021, we have seen reports of Emotet infections dropping Cobalt Strike malware (link).  I've seen it occasionally since then, and I reported an example last week.  Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08.

Details

This was an infection from the epoch 5 botnet, and approximately 5 hours after the initial infection, Cobalt Strike traffic started on 2022-02-08 at 19:54 UTC.  The Cobalt Strike binary was sent over HTTPS Emotet C2 traffic, so there were no indicators over the network for Cobalt Strike until the Cobalt Strike traffic started.


Shown above:  Emotet infection traffic with the start of Cobalt Strike activity.

The first domain was foxofeli[.]com, and approximately 15 minutes later another domain for Cobalt Strike named diyabip[.]com as shown in the image below.


Shown above:  Second Cobalt Strike domain appears during the infection.

The Cobalt Strike binary is a 64-bit DLL that was saved to the same directory as the Emotet DLL.


Shown above:  Cobalt Strike DLL saved to the same directory as the Emotet DLL.

Indicators of Compromise (IOCs)

Cobalt Strike binary dropped during Emotet epoch 5 infection:

SHA256 hash: b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65

  • File size:  216,576 bytes
  • File location:  C:\Users\[username]\AppData\Local\[Emotet directory]\gtrhfxlqswyy.dll
  • File type:  PE32+ executable (DLL) (GUI) x86-64, for MS Windows
  • Run method:  regsvr32.exe /s [filename]
  • Note 1:  [username] is specific to the Windows user account name of the infected victim.
  • Note 2:  [Emotet directory] name and the DLL file name are different for each infection.

Analysis links for the Cobalt Strike binary:

Cobalt Strike traffic:

  • 23.82.140[.]91 port 443 - foxofeli[.]com - HTTPS traffic
  • 108.62.141[.]56 port 443 - diyabip[.]com - HTTPS traffic

Final words

During real-world incidents, investigations have occasionally revealed use of Cobalt Strike before a threat actor drops ransomware (here is one example, and here is another).  I haven't yet seen ransomware sent through Emotet to Cobalt Strike infections in my lab environment, but we should remain aware of the threat posed by this malware combo.

Traffic, malware samples, and associated IOCs from the Emotet infections that I generated for today's diary are located here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)
ISC Stormcast For Wednesday, February 9th, 2022 https://isc.sans.edu/podcastdetail.html?id=7872

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives