cobaltstrike | a771d34f0efa34761d3a18371bc9655b[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

a771d34f0efa34761d3a18371bc9655b.bin
Size

56KB
MD5

bbf5f0b697d98c670014777263ba3776
SHA1

19ca42a40cda49d3d79c75bd6f88d87272c4b68f
SHA256

e04773ed39d436bcd46a7d40397aa4d75d3ff0d794c5e45772186ab2da0c5b90
SHA512

d6bd8ef3fa67bfc2d542a8206d080d930bda3ad6c512dae186fc332222d8d65e703eae45fecc519fe9f29808a10485de1eddb4dcf843dda7fcfbbe66f1f855a2
SSDEEP

1536:TUlF7jmephfaDQIjAK4DGATCkrjqi3MkLkUR2GP2:TUl1TplasbyATC6eivgGP2

Score

10^/10

cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

http://121.5.22.133:21786/hY4h

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/da299be7f0cc9d71cdea150c0951dd6e4b121b65882a5bf2826f59dd02ea0ab5.exe

Files

a771d34f0efa34761d3a18371bc9655b.bin
.zip

Password: infected
da299be7f0cc9d71cdea150c0951dd6e4b121b65882a5bf2826f59dd02ea0ab5.exe
.dll windows:6 windows x64

b80f9a3caeabbd97ef3418216ac93c69

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

WriteProcessMemory
VirtualAlloc
GetModuleFileNameW
GetSystemDirectoryW
OpenProcess
DisableThreadLibraryCalls
CloseHandle
LoadLibraryW
CreateThread
GetProcAddress
ExitProcess
GetCurrentProcessId
FreeLibrary
lstrcpyW
CreateFileW
SetFilePointerEx
GetConsoleMode
GetConsoleOutputCP
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
InterlockedFlushSList
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EncodePointer
RaiseException
RtlPcToFileHeader
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteFile
WriteConsoleW

user32

wsprintfW
MessageBoxW
wsprintfA

shlwapi

StrCmpIW
PathStripPathW

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_pushheader_byname
curl_pushheader_bynum
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_version
curl_version_info

Sections

.text
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

b80f9a3caeabbd97ef3418216ac93c69

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shlwapi

Exports

Exports

Sections

.text Size: 57KB - Virtual size: 56KB

.rdata Size: 42KB - Virtual size: 41KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 4KB - Virtual size: 4KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 57KB - Virtual size: 56KB

.rdata
Size: 42KB - Virtual size: 41KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 4KB - Virtual size: 4KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 2KB - Virtual size: 1KB