cobaltstrike | f81f84087bf1f241beb8e2f2df604434d1fb023dce5882c752a538bcf6e29a28 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f81f84087bf1f241beb8e2f2df604434d1fb023dce5882c752a538bcf6e29a28
Size

1.2MB
MD5

f0edfbd9ada5f01204bf795db82a792b
SHA1

c66a9879503beae006b66fd546b3b5f6b7e050d6
SHA256

f81f84087bf1f241beb8e2f2df604434d1fb023dce5882c752a538bcf6e29a28
SHA512

08c522614fb5d30695ed8c75e7139db160c470cd92afe6b14ce554aaffe20a7aa78f4d6293bebc4b825e4f46e966f43bd6860e5673ad4852ccdaa22a9ccee5f1
SSDEEP

24576:vNVznzW1xLeb8kcz4lW5C9KqILZGHEl/:bzW1fqILY

Score

10^/10

cobaltstrike

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
sample	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f81f84087bf1f241beb8e2f2df604434d1fb023dce5882c752a538bcf6e29a28

Files

f81f84087bf1f241beb8e2f2df604434d1fb023dce5882c752a538bcf6e29a28
.exe windows:4 windows x86

0d6b2433b9af4c1382ad94472120d6be

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeBeginPeriod

ws2_32

WSAGetOverlappedResult

ntdll

NtWaitForSingleObject

advapi32

CryptReleaseContext
CryptGenRandom
CryptAcquireContextW

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetThreadPriority
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
LoadLibraryA
LoadLibraryW
GetThreadContext
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerA
CreateThread
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ