← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
From RTF to Cobalt Strike passing via Flash
WHITE Cobalt Gang AlienVault 2017-02-06 Modified: 2017-06-14
12
IOCs
MEDIUM VOLUME
Quick Sunday morning blog post, analysis of an unknown rtf file. This article is a result of an initial investigation, no attribution is done but you’ll have all the necessary info for a deeper investigation.
rtfcobalt strikeflashmalware
Indicators of Compromise (12)
All FileHash-SHA256 URL IPv4
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e 2017-02-06
FileHash-SHA256 af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46 2017-02-06
FileHash-SHA256 8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb 2017-02-06
FileHash-SHA256 9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912 2017-02-06
FileHash-SHA256 cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2 2017-02-06
FileHash-SHA256 4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52 2017-02-06
FileHash-SHA256 2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf 2017-02-06
FileHash-SHA256 21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d 2017-02-06
FileHash-SHA256 7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee 2017-02-06
FileHash-SHA256 08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345 2017-02-06
URL https://193.238.152.198/OeeC 2017-02-06
IPv4 193.238.152.198 2017-02-06
References (1)
↗ https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flash/