cobaltstrike | 29eeb96134e88d61433cff8342549aae73fb68bb7cc037febb9b87846a2531ec

Sharing

Copy URL

Twitter E-mail

General

Target

29eeb96134e88d61433cff8342549aae73fb68bb7cc037febb9b87846a2531ec
Size

206KB
MD5

e8ae682eebf5c33bf0d325923a0bbe6d
SHA1

ec1e96bd76db278f75f3054fc1776cea89d1e0ce
SHA256

29eeb96134e88d61433cff8342549aae73fb68bb7cc037febb9b87846a2531ec
SHA512

b371db0ccf2f32e91549ef2798b2c8699c2300bac06bb4fe08bab5e637a2f7f06f73fe1fc63f05677d7b3bda4940f53b33140e6b6f455073407acc6566dd9904

Score

10^/10

1 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

beacon_type
512
create_remote_thread
256
http_header1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
pipe_name
\\%s\pipe\msagent_%x
polling_time
10000
port_number
4444
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBjPmjsS60sXbz65lPK1nABUEYFW2ADeReblgm3X7LmzrrkAdHBfBROBGU/00B0IpKrlJ/fHj2EArY+8OsyDSPgcTAuVhrYHt9Nn7W8ppxd8JM/fEGSLcgEbGDLAk5MYt7DHIIpGnu/z1taESU5qaNed/XcbzetTOp7qJm/xy9vwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
watermark
1

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
sample	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

Files

29eeb96134e88d61433cff8342549aae73fb68bb7cc037febb9b87846a2531ec
.dll windows x86

4f38a918c40e01f1f6841a3c2cd4b1d3

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

��ћ��

��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��W��0��͹��1��ͱ��
��0��͹��1��ͱ��
��͹��1��ͱ��
��ͱ��
��
��
��ͬ��
��'��
��
��
��j��
��
��
��
��u��
��
��͹��
��
��H��
��H��
��
��.��
��.��
��.��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��V
��V
��C
��
��
��
��
��
��
��
��A��
��
��
��
��3��
��3��
��3��
��d��3��
��
��x
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��Z��
��
��
��
��
��
��R��
��ͱ��ћ��
��
��K��
��K��
��
��
��
��
��l
��
��
��
��O��>��
��>��
��
��
��
��
��
��
��
��
��;��
��
��
��2��
��
��3��
��
��
��
��z��
��z��
��
��
��
��
��G��*��q��
��
��
��
��|
��
��
��
��
��
��M
��
��
��
��
��
��T��
��
��q��
��*��q��
��
��
��X��
��
��^��
��
��
��
��n��
��m��n��
��m��n��
��
��
��
��"��
��z
��

��ћ��͠��ћ��

��
��
��
��
��
��
��j
��
��
��

��͠��ћ��

ord15
ord4
ord9
ord23
ord1
ord19
ord57
ord12
ord115
ord116
ord52
ord8
ord14
ord13
ord151
ord2
ord16
ord22
ord111
ord18
ord10
ord11
ord3

��ћ��

��ћ��
��

��ѻ��

��
��

��ћ��

��
��&
��

Exports

Exports

_ReflectiveLoader@4

Sections

ы��
Size: 146KB - Virtual size: 146KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

э��
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

ћ��
Size: 9KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

э��
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

4f38a918c40e01f1f6841a3c2cd4b1d3

Code Sign

Headers

DLL Characteristics

File Characteristics

Imports

��������ћ���

�������ћ�����͠��ћ���

��͠��ћ���

������ћ���

��������ѻ���

�������ћ���������������������

Exports

Exports

Sections

ы���� Size: 146KB - Virtual size: 146KB

э����� Size: 40KB - Virtual size: 40KB

ћ���� Size: 9KB - Virtual size: 63KB

э����� Size: 8KB - Virtual size: 7KB

��ћ��

��ћ��͠��ћ��

��͠��ћ��

��ћ��

��ѻ��

��ћ��

ы��
Size: 146KB - Virtual size: 146KB

э��
Size: 40KB - Virtual size: 40KB

ћ��
Size: 9KB - Virtual size: 63KB

э��
Size: 8KB - Virtual size: 7KB