Skip to main content


Showing posts from September, 2020

Decode FIN6 Cobalt Strike stagers

This post explains about decoding FIN6 cobalt strike stagers using cyberchef and scdbg. Attackers leverage pastebin to host cobalt strike stagers or malicious droppers and few of them are still active on pastebin though the final c2 or  domains are not active. Below is one of those pastebin httpstagers  hxxps://pastebin[.]com/raw/HPpvY00Q. One of my previous posts  Decoding Metasploit and CobaltStrike shells  explains how to use CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2. Here scdbg command line version for linux is used to emulate the shellcode  References:  CyberChef Scdbg Cobalt Strike stagers used by FIN6 Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware