ducktail | 2024-08-06_4ae99291e34e7b96d1970beb35492e66_cobalt-strike_megazord

Sharing

Copy URL

Twitter E-mail

General

Target

2024-08-06_4ae99291e34e7b96d1970beb35492e66_cobalt-strike_megazord
Size

66.6MB
MD5

4ae99291e34e7b96d1970beb35492e66
SHA1

4b287fe68eaa2fae204472800ed1b779bcdb55e6
SHA256

30c252c9fffff420d04a1e3c179f93d4fde7e6b822ae5dd7a189e3e6382b037d
SHA512

cdbf4a2a3700707b3295302f2a946426904e22242fed0e88a7a59b6ed4f6c204785496bc3604a9693ac2c392f8c80073dc39513e8a7fc5ba383b70d0613e3d25
SSDEEP

393216:kvnXasAUGEJYGf9IeuaaqBlnmOzfgb+9Z5Gzt/nxX9ZzqtCQsh/D2dr14asLQNtC:kPKYBwomOTgbr/skQsh/SgaNc

Score

10^/10

ducktail

Malware Config

Signatures

Detect Ducktail Third Stage Payload 1 IoCs

resource	yara_rule
sample	ducktail_3rd_stage

Ducktail family
ducktail

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-08-06_4ae99291e34e7b96d1970beb35492e66_cobalt-strike_megazord

Files

2024-08-06_4ae99291e34e7b96d1970beb35492e66_cobalt-strike_megazord
.exe windows:6 windows x64 arch:x64

753845d2c9ef7d478e4225bf1d78584a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb

Imports

kernel32

RaiseException
FreeLibrary
SetErrorMode
RaiseFailFastException
GetExitCodeProcess
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
AddVectoredExceptionHandler
MultiByteToWideChar
GetTickCount
FlushInstructionCache
QueryPerformanceFrequency
QueryPerformanceCounter
RtlLookupFunctionEntry
LocateXStateFeature
RtlDeleteFunctionTable
InterlockedPushEntrySList
InterlockedFlushSList
InitializeSListHead
GetTickCount64
DuplicateHandle
QueueUserAPC
WaitForSingleObjectEx
SetThreadPriority
GetThreadPriority
GetCurrentThreadId
TlsAlloc
GetCurrentThread
GetCurrentProcessId
CreateThread
GetModuleHandleW
WaitForMultipleObjectsEx
SignalObjectAndWait
RtlCaptureContext
SetThreadStackGuarantee
VirtualQuery
WriteFile
GetStdHandle
GetConsoleOutputCP
MapViewOfFileEx
UnmapViewOfFile
GetStringTypeExW
InterlockedPopEntrySList
ExitProcess
Sleep
CreateMemoryResourceNotification
VirtualAlloc
VirtualFree
VirtualProtect
SleepEx
SwitchToThread
SuspendThread
ResumeThread
InitializeContext
SetXStateFeaturesMask
RtlRestoreContext
CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer
ReadFile
GetFileSize
GetEnvironmentVariableW
SetEnvironmentVariableW
CreateEventW
SetEvent
ResetEvent
GetThreadContext
SetThreadContext
GetEnabledXStateFeatures
CopyContext
WerRegisterRuntimeExceptionModule
RtlInstallFunctionTableCallback
GetSystemDefaultLCID
GetUserDefaultLCID
RtlUnwind
HeapAlloc
HeapFree
GetProcessHeap
HeapCreate
HeapDestroy
GetEnvironmentStringsW
FreeEnvironmentStringsW
FormatMessageW
CreateSemaphoreExW
ReleaseSemaphore
GetACP
LCMapStringEx
LocalFree
VerSetConditionMask
VerifyVersionInfoW
QueryThreadCycleTime
GetLogicalProcessorInformationEx
SetThreadGroupAffinity
GetThreadGroupAffinity
GetProcessGroupAffinity
GetCurrentProcessorNumberEx
GetProcessAffinityMask
QueryInformationJobObject
CloseHandle
GetSystemTimeAsFileTime
GetModuleFileNameW
CreateProcessW
GetCPInfo
LoadLibraryExW
CreateFileW
GetFileAttributesExW
GetFullPathNameW
LoadLibraryExA
OutputDebugStringA
OpenEventW
ReleaseMutex
ExitThread
CreateMutexW
HeapReAlloc
CreateNamedPipeA
WaitForMultipleObjects
DisconnectNamedPipe
CreateFileA
CancelIoEx
GetOverlappedResult
ConnectNamedPipe
FlushFileBuffers
SetFilePointer
MapViewOfFile
GetActiveProcessorGroupCount
GetSystemTime
SetConsoleCtrlHandler
GetLocaleInfoEx
GetUserDefaultLocaleName
RtlAddFunctionTable
LoadLibraryW
CreateDirectoryW
RemoveDirectoryW
CreateActCtxW
ActivateActCtx
FindResourceW
GetWindowsDirectoryW
GetFileSizeEx
FindFirstFileExW
FindNextFileW
GetTempPathW
FindClose
LoadLibraryA
GetCurrentDirectoryW
IsWow64Process
EncodePointer
DecodePointer
CreateFileMappingA
TlsSetValue
TlsGetValue
GetSystemInfo
GetCurrentProcess
OutputDebugStringW
IsDebuggerPresent
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
WideCharToMultiByte
GetCommandLineW
GetProcAddress
GetModuleHandleExW
SetThreadErrorMode
FlushProcessWriteBuffers
SetLastError
DebugBreak
WaitForSingleObject
GetNumaHighestNodeNumber
SetThreadAffinityMask
SetThreadIdealProcessorEx
GetThreadIdealProcessorEx
VirtualAllocExNuma
GetNumaProcessorNodeEx
VirtualUnlock
GetLargePageMinimum
IsProcessInJob
K32GetProcessMemoryInfo
GetLogicalProcessorInformation
GlobalMemoryStatusEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlVirtualUnwind
IsProcessorFeaturePresent
RtlUnwindEx
InitializeCriticalSectionAndSpinCount
TlsFree
RtlPcToFileHeader
TryAcquireSRWLockExclusive
GetExitCodeThread
GetStringTypeW
InitializeCriticalSectionEx
GetLastError
CreateFileMappingW

advapi32

ReportEventW
AdjustTokenPrivileges
RegGetValueW
SetKernelObjectSecurity
GetSidSubAuthorityCount
GetSidSubAuthority
GetTokenInformation
OpenProcessToken
DeregisterEventSource
RegisterEventSourceW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
EventRegister
SetThreadToken
RevertToSelf
OpenThreadToken
EventWriteTransfer
EventWrite
LookupPrivilegeValueW

ole32

CreateStreamOnHGlobal
CoRevokeInitializeSpy
CoGetClassObject
CoGetContextToken
CoGetObjectContext
CoUnmarshalInterface
CoMarshalInterface
CoGetMarshalSizeMax
CLSIDFromProgID
CoReleaseMarshalData
CoTaskMemFree
CoTaskMemAlloc
CoCreateGuid
CoInitializeEx
CoRegisterInitializeSpy
CoWaitForMultipleHandles
CoUninitialize
CoCreateFreeThreadedMarshaler

oleaut32

CreateErrorInfo
SysFreeString
GetErrorInfo
SetErrorInfo
SysStringLen
SysAllocString
SysAllocStringLen
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayDestroy
QueryPathOfRegTypeLi
LoadTypeLibEx
SafeArrayGetVartype
VariantChangeType
VariantChangeTypeEx
VariantClear
VariantInit
VarCyFromDec
SafeArrayAllocDescriptorEx
GetRecordInfoFromTypeInfo
SafeArraySetRecordInfo
SafeArrayAllocData
SafeArrayGetElemsize
SysStringByteLen
SysAllocStringByteLen
SafeArrayCreateVector
SafeArrayPutElement
LoadRegTypeLi

user32

LoadStringW
MessageBoxW

shell32

ShellExecuteW

api-ms-win-crt-string-l1-1-0

strncat_s
wcsncat_s
strcmp
wcsnlen
wcscat_s
towupper
iswascii
_strdup
strncpy
strnlen
wcstok_s
isdigit
isupper
isalpha
towlower
_wcsdup
iswspace
isspace
islower
strtok_s
_wcsnicmp
strcspn
__strncnt
strlen
wcscpy_s
toupper
wcsncpy_s
strcpy_s
strcat_s
strncpy_s
_strnicmp
tolower
wcsncmp
iswupper
strncmp
_stricmp
_wcsicmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsscanf
fflush
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vswprintf
__stdio_common_vfwprintf
fputws
fputwc
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
fgetpos
fgets
fgetc
fputc
_wfsopen
_wfopen
__p__commode
_set_fmode
__stdio_common_vsnprintf_s
setvbuf
_setmode
_dup
_fileno
ftell
fseek
fputs
__stdio_common_vsnwprintf_s
__stdio_common_vsprintf_s
fwrite
_flushall
fopen
fclose

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_register_onexit_function
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_exit
_invalid_parameter_noinfo_noreturn
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_beginthreadex
terminate
_controlfp_s
_wcserror_s
_invalid_parameter_noinfo
_errno
exit
abort

api-ms-win-crt-convert-l1-1-0

_atoi64
_ltow_s
_wtoi
strtoul
_wcstoui64
atol
_itow_s
strtoull
wcstoul

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
calloc
malloc
realloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

asinhf
atanhf
cbrtf
acoshf
cosh
cbrt
coshf
exp
expf
acosh
atanh
floor
floorf
fma
fmaf
cosf
_fdopen
cos
ceilf
_copysignf
_isnanf
trunc
truncf
ilogb
ilogbf
tanhf
ceil
fmod
fmodf
atanf
frexp
atan2f
atan2
log
log10
log10f
atan
asinf
log2
log2f
logf
pow
powf
sin
sinf
asin
sinh
sinhf
sqrt
sqrtf
tan
tanf
tanh
acosf
_copysign
asinh
_isnan
_finite
modf
modff
acos
__setusermatherr

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
wcsftime

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

_unlock_locales
setlocale
__pctype_func
___lc_locale_name_func
_lock_locales
___lc_codepage_func
___mb_cur_max_func
_configthreadlocale
localeconv

api-ms-win-crt-filesystem-l1-1-0

_wrename
_unlock_file
_wremove
_lock_file

Exports

Exports

CLRJitAttachState
DotNetRuntimeInfo
MetaDataGetDispenser
g_CLREngineMetrics
g_dacTable

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.CLR_UEF
Size: 512B - Virtual size: 221B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 216KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Section
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 77KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

753845d2c9ef7d478e4225bf1d78584a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

oleaut32

user32

shell32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

Exports

Exports

Sections

.text Size: 6.1MB - Virtual size: 6.1MB

.CLR_UEF Size: 512B - Virtual size: 221B

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 38KB - Virtual size: 128KB

.pdata Size: 216KB - Virtual size: 216KB

.didat Size: 512B - Virtual size: 56B

Section Size: 512B - Virtual size: 8B

_RDATA Size: 77KB - Virtual size: 77KB

.rsrc Size: 1.5MB - Virtual size: 1.5MB

.reloc Size: 32KB - Virtual size: 31KB

.text
Size: 6.1MB - Virtual size: 6.1MB

.CLR_UEF
Size: 512B - Virtual size: 221B

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 38KB - Virtual size: 128KB

.pdata
Size: 216KB - Virtual size: 216KB

.didat
Size: 512B - Virtual size: 56B

Section
Size: 512B - Virtual size: 8B

_RDATA
Size: 77KB - Virtual size: 77KB

.rsrc
Size: 1.5MB - Virtual size: 1.5MB

.reloc
Size: 32KB - Virtual size: 31KB