cobaltstrike | JC_17d1b864c2ddda4b513b26a625b621cc1a0871dcbfb1f8303036abd04ee729f9 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

JC_17d1b864c2ddda4b513b26a625b621cc1a0871dcbfb1f8303036abd04ee729f9
Size

1.2MB
MD5

f0da03a509b3321d149903a072b62679
SHA1

51cb5306808af12cc133ccb0eb3f3650f35cc4f9
SHA256

17d1b864c2ddda4b513b26a625b621cc1a0871dcbfb1f8303036abd04ee729f9
SHA512

f08ab619185a9922978d8a36b4703a07a430da86632e05cd46e9e0ac3b36974c3aebb6624a66bd65aded0016ace51c1c5c661cb9f011a960c6c1583fd493ab6d
SSDEEP

12288:hqNVSFWWgzWR1FxLeb8Ze4Wczw5lr3WWe5Cce/y/YhsqILnZHja0qgXT5YMqo:INVznzW1xLeb8kcz4lW5C9KqILZvt

Score

10^/10

cobaltstrike

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
sample	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JC_17d1b864c2ddda4b513b26a625b621cc1a0871dcbfb1f8303036abd04ee729f9

Files

JC_17d1b864c2ddda4b513b26a625b621cc1a0871dcbfb1f8303036abd04ee729f9
.exe windows:4 windows x86

0d6b2433b9af4c1382ad94472120d6be

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeBeginPeriod

ws2_32

WSAGetOverlappedResult

ntdll

NtWaitForSingleObject

advapi32

CryptReleaseContext
CryptGenRandom
CryptAcquireContextW

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetThreadPriority
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
LoadLibraryA
LoadLibraryW
GetThreadContext
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerA
CreateThread
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ