2024-05-30_d46686b07623e2aa7e36430937ae37f2_cobalt-strike_cobaltstrike

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-30_d46686b07623e2aa7e36430937ae37f2_cobalt-strike_cobaltstrike
Size

1.1MB
MD5

d46686b07623e2aa7e36430937ae37f2
SHA1

8a5d02214a9a35cad19680339901958eb962305e
SHA256

e00378abe2832a7a3130953d81d5e5b57478d425100045b8f97c8ba7b85366e5
SHA512

af9db7cd0a3efb057af52befbbd7ecbbbbcc4fe27c1d5db65de4a8f9a63dabff54b04552f93a3510149db343a4263490f11070da93787a718299b870a1dfc325
SSDEEP

3072:b4sOBEMAOb6Xs80RsbA32t9NGvpKmwbROtJck1tLXsbcu:bBDJj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-05-30_d46686b07623e2aa7e36430937ae37f2_cobalt-strike_cobaltstrike

Files

2024-05-30_d46686b07623e2aa7e36430937ae37f2_cobalt-strike_cobaltstrike
.exe windows:6 windows x86 arch:x86

32cde2cffbc96276c8d97d5a56ca4272

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\tom\Desktop\code\CS\LLVM\beacon_cs.pdb

Imports

kernel32

CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
CloseHandle
GetLastError
VirtualAllocEx
WriteProcessMemory
VirtualProtectEx
GetThreadContext
SetThreadContext
ResumeThread
CreateRemoteThread
SetLastError
CreateToolhelp32Snapshot
Thread32First
OpenThread
Thread32Next
ReadProcessMemory
OpenProcess
GetFullPathNameA
InitializeProcThreadAttributeList
GetProcessHeap
HeapAlloc
MultiByteToWideChar
GetCurrentDirectoryW
CreateProcessA
TerminateProcess
UpdateProcThreadAttribute
DuplicateHandle
SetErrorMode
DeleteProcThreadAttributeList
VirtualProtect
GetStartupInfoA
ExpandEnvironmentStringsA
GetCurrentThread
Process32First
ProcessIdToSessionId
Process32Next
GetCurrentDirectoryA
CreateFileA
WaitNamedPipeA
SetNamedPipeHandleState
DisconnectNamedPipe
PeekNamedPipe
FindFirstFileA
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FindNextFileA
FindClose
CreateDirectoryA
GetLogicalDrives
GetFileAttributesA
RemoveDirectoryA
WriteFile
FlushFileBuffers
ConnectNamedPipe
ReadFile
CreateNamedPipeA
CreatePipe
CopyFileA
MoveFileA
SleepEx
SetEndOfFile
SetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetTickCount
GetOEMCP
GetACP
GetVersionExA
GetModuleFileNameA
GetComputerNameA
WaitForSingleObject
CreateThread
ExitProcess
ExitThread
GetLocalTime
VirtualFree
VirtualAlloc
LoadLibraryA
FreeLibrary
GetProcAddress
Sleep
GetModuleHandleA
HeapFree
CreateFileW
HeapQueryInformation
HeapSize
HeapReAlloc
WriteConsoleW
GetStringTypeW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
IsValidCodePage
FindNextFileW
FindFirstFileExW
OutputDebugStringW
SetEnvironmentVariableW
DeleteFileW
ReadConsoleW
SetFilePointerEx
GetFileSizeEx
GetConsoleMode
GetConsoleCP
LCMapStringW
CompareStringW
GetFileType
GetSystemInfo
HeapValidate
GetCommandLineW
GetCommandLineA
IsDebuggerPresent
RaiseException
WideCharToMultiByte
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetStartupInfoW
GetModuleHandleW
VirtualQuery
GetModuleFileNameW
LoadLibraryExW
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
GetModuleHandleExW
QueryPerformanceFrequency
GetStdHandle
DecodePointer

advapi32

LookupPrivilegeValueA
AdjustTokenPrivileges
ImpersonateNamedPipeClient
LogonUserA
OpenProcessToken
OpenThreadToken
LookupAccountSidA
GetTokenInformation
CreateProcessAsUserA
CreateProcessWithTokenW
CreateProcessWithLogonW
RevertToSelf
GetUserNameA
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
CryptReleaseContext
CryptGenRandom
CryptAcquireContextA
DuplicateTokenEx
ImpersonateLoggedOnUser

ws2_32

accept
recv
listen
shutdown
send
select
__WSAFDIsSet
WSAGetLastError
connect
ioctlsocket
htons
closesocket
socket
ntohs
gethostbyname
gethostname
WSACleanup
WSAStartup
ntohl
htonl
bind

wininet

InternetQueryDataAvailable
HttpQueryInfoA
InternetSetStatusCallback
InternetQueryOptionA
HttpAddRequestHeadersA
InternetReadFile
InternetSetOptionA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
HttpOpenRequestA
InternetConnectA

Sections

.text
Size: 945KB - Virtual size: 944KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

32cde2cffbc96276c8d97d5a56ca4272

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ws2_32

wininet

Sections

.text Size: 945KB - Virtual size: 944KB

.rdata Size: 114KB - Virtual size: 113KB

.data Size: 7KB - Virtual size: 39KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 23KB - Virtual size: 22KB

.text
Size: 945KB - Virtual size: 944KB

.rdata
Size: 114KB - Virtual size: 113KB

.data
Size: 7KB - Virtual size: 39KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 23KB - Virtual size: 22KB