cobaltstrike | cfd44d46a4b7533688515c57f9b93126425ef5a2afe29d16a70647cb0f65731b

Sharing

Copy URL Twitter E-mail

General

Target

cfd44d46a4b7533688515c57f9b93126425ef5a2afe29d16a70647cb0f65731b
Size

421KB
MD5

1fa1353fa8a0571dbbe0ede8f7cf931c
SHA1

70e90fbb032ece148d90f196abac445f2ba0ccdc
SHA256

cfd44d46a4b7533688515c57f9b93126425ef5a2afe29d16a70647cb0f65731b
SHA512

b29bf59fed20e0d75a1a11ab26db87ac445887c8b49cefe82b1b448ef242addd81bb1efdde0c65661a77d6461000e17bd9b92ba58492fe90e9a0505330b1c4e1
SSDEEP

12288:d1HF0DVfqyhFXmMn6o4pubIem9Th8Uw8idv:d1HF0DVfqyhFXmMn6o4pubIerZdv

Score

10^/10

cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

http://��H�� H��AYAYPPPPM1�AQH��:281314120H��A��]��H�� H�� XXXXH��A�Ɩ�R�ջ�* A��H��(<| ��u�Groj

http://A�s��l��H�� H��:2202588671A��H��(<| ��u�Groj

Attributes

user_agent
.dll

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cfd44d46a4b7533688515c57f9b93126425ef5a2afe29d16a70647cb0f65731b

Files

cfd44d46a4b7533688515c57f9b93126425ef5a2afe29d16a70647cb0f65731b
.exe windows x64

681d4c11b90c6ee1c8a7260cf251cb52

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ZwQueryValueKey
ZwUnmapViewOfSection
PsTerminateSystemThread
ZwClose
RtlRandom
KeWaitForSingleObject
RtlCompareMemory
ZwDeviceIoControlFile
ZwOpenSection
ZwEnumerateKey
ZwOpenKey
DbgPrint
_wcsicmp
IoBuildDeviceIoControlRequest
MmGetSystemRoutineAddress
ZwSetValueKey
RtlEqualUnicodeString
IoRegisterBootDriverReinitialization
ObReferenceObjectByHandle
RtlCopyUnicodeString
ObfDereferenceObject
IoGetDeviceProperty
IofCallDriver
NtNotifyChangeDirectoryFile
ZwFsControlFile
ZwQuerySystemInformation
ZwWaitForSingleObject
ZwQueryVolumeInformationFile
PsCreateSystemThread
ZwOpenProcess
ZwOpenFile
NtShutdownSystem
ZwAdjustPrivilegesToken
ZwOpenProcessTokenEx
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
KeQueryActiveProcessors
KdDebuggerNotPresent
IoRegisterPlugPlayNotification
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlFreeUnicodeString
IoGetDeviceObjectPointer
KdDebuggerEnabled
Mm64BitPhysicalAddress
IoGetCurrentProcess
RtlAppendUnicodeStringToString
PsGetVersion
PsGetCurrentThreadId
PsGetCurrentProcessId
KeNumberProcessors
InitSafeBootMode
RtlUnicodeStringToAnsiString
ZwDeleteValueKey
ZwDeleteKey
PoStartNextPowerIrp
ZwCreateFile
IofCompleteRequest
KeInitializeEvent
swprintf
KeSetEvent
ZwMapViewOfSection
KeSetPriorityThread
ZwCreateKey
IoCreateSymbolicLink
IoUnregisterShutdownNotification
RtlInitUnicodeString
IoRegisterShutdownNotification
IoDeleteSymbolicLink
ExAllocatePoolWithTag
ExAllocatePoolWithTagPriority
IoCreateDevice
ObfReferenceObject
PoCallDriver
IoAttachDeviceToDeviceStack
IoGetAttachedDeviceReference
KeBugCheckEx
ZwDuplicateObject
ExSystemTimeToLocalTime
RtlTimeToTimeFields
IoGetRelatedDeviceObject
IoFreeMdl
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
MmUnmapLockedPages
KeInitializeDpc
MmAllocatePagesForMdl
MmUnmapIoSpace
KeInitializeTimer
KeSetTimerEx
MmMapLockedPagesSpecifyCache
MmMapIoSpace
MmFreePagesFromMdl
sprintf
IoInvalidateDeviceRelations
PoSetPowerState
ZwReadFile
ZwSetInformationFile
ZwWriteFile
strchr
ZwEnumerateValueKey
ExInterlockedAddLargeInteger
KeInitializeSemaphore
KeReleaseSemaphore
MmBuildMdlForNonPagedPool
MmUnlockPages
PsLookupProcessByProcessId
KeUnstackDetachProcess
KeDelayExecutionThread
ZwFreeVirtualMemory
KeStackAttachProcess
ZwAllocateVirtualMemory
IoCreateFile
RtlGetVersion
RtlCompareUnicodeString
MmIsAddressValid
ZwQueryInformationFile
RtlDowncaseUnicodeString
PsSetCreateProcessNotifyRoutine
ExRaiseStatus
_stricmp
RtlImageDirectoryEntryToData
wcsstr
_wcsupr
KeSetSystemAffinityThread
RtlImageNtHeader
KeRegisterBugCheckReasonCallback
PsSetLoadImageNotifyRoutine
FsRtlIsNameInExpression
IoDeleteDevice
ExFreePoolWithTag
__C_specific_handler

hal

HalGetBusDataByOffset
KeStallExecutionProcessor
KeQueryPerformanceCounter

tdi.sys

TdiDeregisterPnPHandlers
TdiRegisterPnPHandlers

Sections

.text
Size: 386KB - Virtual size: 385KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

681d4c11b90c6ee1c8a7260cf251cb52

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

tdi.sys

Sections

.text Size: 386KB - Virtual size: 385KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 4KB - Virtual size: 30KB

.pdata Size: 7KB - Virtual size: 6KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 928B

.reloc Size: 512B - Virtual size: 36B

.text
Size: 386KB - Virtual size: 385KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 4KB - Virtual size: 30KB

.pdata
Size: 7KB - Virtual size: 6KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 928B

.reloc
Size: 512B - Virtual size: 36B