|
Introduction Update, 2022-02-09 at 17:09 UTC: I've posted traffic and malware samples from the Emotet infections I generated to get traffic and malware samples when preparing for this diary. The files are located here. Since early December 2021, we have seen reports of Emotet infections dropping Cobalt Strike malware (link). I've seen it occasionally since then, and I reported an example last week. Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. Details This was an infection from the epoch 5 botnet, and approximately 5 hours after the initial infection, Cobalt Strike traffic started on 2022-02-08 at 19:54 UTC. The Cobalt Strike binary was sent over HTTPS Emotet C2 traffic, so there were no indicators over the network for Cobalt Strike until the Cobalt Strike traffic started.
The first domain was foxofeli[.]com, and approximately 15 minutes later another domain for Cobalt Strike named diyabip[.]com as shown in the image below.
The Cobalt Strike binary is a 64-bit DLL that was saved to the same directory as the Emotet DLL.
Indicators of Compromise (IOCs) Cobalt Strike binary dropped during Emotet epoch 5 infection: SHA256 hash: b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65
Analysis links for the Cobalt Strike binary: Cobalt Strike traffic:
Final words During real-world incidents, investigations have occasionally revealed use of Cobalt Strike before a threat actor drops ransomware (here is one example, and here is another). I haven't yet seen ransomware sent through Emotet to Cobalt Strike infections in my lab environment, but we should remain aware of the threat posed by this malware combo. Traffic, malware samples, and associated IOCs from the Emotet infections that I generated for today's diary are located here. --- Brad Duncan |
Brad 436 Posts ISC Handler Feb 9th 2022 |
| Thread locked Subscribe |
Feb 9th 2022 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
