2019-07-03 - QUICK POST: HANCITOR INFECTION WITH COBALT STRIKE
- 2019-07-03-Hancitor-malspam-example.eml.zip 2.5 kB (2,531 bytes)
- 2019-07-03-Hancitor-infection-with-Cobalt-Strike.pcap.zip 520 kB (519,771 bytes)
- 2019-07-03-Hancitor-and-Cobalt-Strike-malware-and-artifacts.zip 353 kB (353,448 bytes)
- Since Monday 2019-07-01, Hancitor infections have included Cobalt Strike activity as noted by @James_inthe_box, @VK_Intel, and others (Twitter link).
- I didn't see it in the Hancitor I posted on 2019-07-01, but I did see Cobalt Strike act ivity from my Hancitor infection yesterday.
- I saw more Cobalt Strike activity during my Hancitor infection today. See the images below for details.
- Zip archives are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Alerts from the traffic using Security Onion with Suricata and the Emergingthreats Pro ruleset viewed through Squil.
Shown above: Further beaconing activity related to Cobalt Strike.
Shown above: Some contents of the Cobalt Strike callback traffic.
Click here to return to the main page.