metasploit | 5d37d6cd6d359cbdbda2cc7bad141a7f

Sharing

Copy URL Twitter E-mail

General

Target

5d37d6cd6d359cbdbda2cc7bad141a7f
Size

270KB
MD5

5d37d6cd6d359cbdbda2cc7bad141a7f
SHA1

df23bae4a6270b23f58719d8601845268d7d2c03
SHA256

ab13f819640599a62575b5d999fb530d8f1baf12d2b40cac533171420e6ac647
SHA512

934740037fea7ab073d14a5cc6d6a0bfadde6a728770bab75cc176f5aa861344b57c46b8d2f9491ab6bfc17e16379cfe6060d31da473825ef3da76b3e1cfe0eb
SSDEEP

6144:F+JUbzEqVsscqWvrxXB2YFB1LmhiinmJF15s7:Fsczxs2WzxXBVFB1L5Cmn87

Score

10^/10

0 metasploit cobaltstrike

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

cobaltstrike

Botnet

Attributes

beacon_type
4096
http_header1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
polling_time
10000
port_number
42978
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIZQW2ssrE0i8vjjKm/eXoY0rSpQy+l89B9vg39dP8T7kMKlITXpifmyVZ2hNt6DnZAdyQ7fyHiCkbnu9s+Rb2a1GSTmi+y+DodaMYK/NU0dWA6+hawikl/InlYiRsvoxD42pM5sPTUkohcDxc2+dAytb+NT3+/xCyJ7N5+6bI6QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
watermark
0

Signatures

Cobaltstrike family
cobaltstrike
Metasploit family
metasploit

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
5d37d6cd6d359cbdbda2cc7bad141a7f

Files

5d37d6cd6d359cbdbda2cc7bad141a7f
.dll windows:5 windows x86 arch:x86

9d9fd850ae414cf4cef6e0521cddb88d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

StrCmpIW
PathStripPathW

kernel32

QueryPerformanceCounter
CreateFileW
WriteConsoleW
GetModuleHandleW
GetModuleFileNameW
CreateMutexA
GetLastError
VirtualAlloc
VirtualProtect
GetCurrentProcessId
GetCurrentThreadId
CreateToolhelp32Snapshot
Thread32First
OpenThread
SuspendThread
CloseHandle
Thread32Next
InterlockedCompareExchange
FindResourceExW
LoadResource
SizeofResource
LockResource
CreateThread
WaitForSingleObject
VirtualFree
ExitProcess
GetCommandLineA
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
SetLastError
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
GetProcessHeap
GetStdHandle
GetFileType
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
HeapFree
GetEnvironmentStringsW
FreeEnvironmentStringsW
WideCharToMultiByte
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
Sleep
EnterCriticalSection
LeaveCriticalSection
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
WriteFile
LoadLibraryExW
RtlUnwind
HeapAlloc
HeapReAlloc
GetStringTypeW
OutputDebugStringW
LoadLibraryW
HeapSize
LCMapStringW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx

Exports

Exports

sqlite3_bind_blob
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_null
sqlite3_bind_parameter_count
sqlite3_bind_parameter_index
sqlite3_bind_parameter_name
sqlite3_bind_text
sqlite3_busy_timeout
sqlite3_changes
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_count
sqlite3_column_decltype
sqlite3_column_double
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_name
sqlite3_column_text
sqlite3_column_type
sqlite3_errmsg
sqlite3_exec
sqlite3_finalize
sqlite3_free
sqlite3_free_table
sqlite3_get_autocommit
sqlite3_get_table
sqlite3_last_insert_rowid
sqlite3_mprintf
sqlite3_open
sqlite3_prepare_v2
sqlite3_reset
sqlite3_step
sqlite3_vmprintf

Sections

.text
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 209KB - Virtual size: 209KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

9d9fd850ae414cf4cef6e0521cddb88d

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

kernel32

Exports

Exports

Sections

.text Size: 28KB - Virtual size: 28KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 3KB - Virtual size: 11KB

.rsrc Size: 209KB - Virtual size: 209KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 28KB - Virtual size: 28KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 3KB - Virtual size: 11KB

.rsrc
Size: 209KB - Virtual size: 209KB

.reloc
Size: 8KB - Virtual size: 8KB