cobaltstrike | 738ed6f15fbaf536e37490b1047c777d9d1dd8c562c5535187715ca18b4d8d2e | Triage

Sharing

General

Target

738ed6f15fbaf536e37490b1047c777d9d1dd8c562c5535187715ca18b4d8d2e
Size

1.2MB
MD5

5da9529e0cedb80006c628c0f9dd474f
SHA1

910242f62e52fdbf5df3375cb85f640609cae106
SHA256

738ed6f15fbaf536e37490b1047c777d9d1dd8c562c5535187715ca18b4d8d2e
SHA512

e056b8d80e7c78854301c34807ab734a1f40ad0f35a5e598e645e3d422666d807d0adab3ecaacdf41d6bd892ed3b1b4d274385c0690559c57db6b9f893f258f7
SSDEEP

24576:K75vRzI7VpeBGmCZElE3iPcKWssATf9K:czI7TKWsxfI

Score

10^/10

cobaltstrike

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
sample	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
738ed6f15fbaf536e37490b1047c777d9d1dd8c562c5535187715ca18b4d8d2e

Files

738ed6f15fbaf536e37490b1047c777d9d1dd8c562c5535187715ca18b4d8d2e
.exe windows:4 windows x86

0d6b2433b9af4c1382ad94472120d6be

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeBeginPeriod

ws2_32

WSAGetOverlappedResult

ntdll

NtWaitForSingleObject

advapi32

CryptReleaseContext
CryptGenRandom
CryptAcquireContextW

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetThreadPriority
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
LoadLibraryA
LoadLibraryW
GetThreadContext
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerA
CreateThread
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ