Analyzing Cobalt Strike PowerShell Payload

Sample

MD5: e0315aca119a9b3b7d89184ad2fa2603
SHA-1: bfc928da46d2ae32e2c60373a5d968d2f15e497a
SHA-256: 24b18a60020d05b32b13d2cf1e6d6b1ccda4f0af5fb5ec0da960746fde54b796
VirusTotal information

Analysis

You can choose one of your favorite text editors to open this sample. First, I noticed this sample is not obfuscated, some powershell malware using obfuscation in order to evade AV detection. Then, this sample is a Stageless payload[4], and it was generated by Cobalt Strike attack package directly. In Cobalt Strike Official website description, we know that:

Malicious Powershell payload
Check operation system environment
Base64 string
XOR operation
Comment the code to analyzing
Dump the bin file
Using pestudio to check the dump file
Load and run the dll file into memory
Cobalt Strike beacon config

Troubleshooting

There are some problems that may be encountered in the debugging process.

Errors of PowerShell execution policy
Check current execution policies
Change the execution policies

Reference

[1] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
[2] https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
[3] https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena
[4] https://www.cobaltstrike.com/help-staged-exe
[5] https://github.com/Te-k/cobaltstrike
[6] https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
[7] https://tecadmin.net/powershell-running-scripts-is-disabled-system/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store