2024-09-12_625274d0f1b3dc9227214079176aef0d_cobalt-strike_megazord

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-12_625274d0f1b3dc9227214079176aef0d_cobalt-strike_megazord
Size

9.6MB
MD5

625274d0f1b3dc9227214079176aef0d
SHA1

b33dbc3ffc893ddb5ad26b67b76dba4015065117
SHA256

b371d1520af1f7b7f52a5a2b4667ea81d1d349493651deaf8348ae86ffe66dc4
SHA512

a11ee7229a2e80dfaf48582a4d3e00a173f046ee8f01f94864d5361960d32ea5eb722e3c255db04cfed6952b000e47790411c3378ef4758215a4e9f54150a303
SSDEEP

98304:Xq5pWh66VGHfR5nx1ZWVBAbRVJzjP4iq3kGn1+6++Hqo:0Why8VKdVJzjP4iqB1uAq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-09-12_625274d0f1b3dc9227214079176aef0d_cobalt-strike_megazord

Files

2024-09-12_625274d0f1b3dc9227214079176aef0d_cobalt-strike_megazord
.exe windows:6 windows x64 arch:x64

88cda3149e5c2798545a826c218ad05f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

F:\ChenXun.Xinhuo.V2.0\3.0\window-ui-3.0\src-tauri\target\release\deps\xinhuo.pdb

Imports

wincore

unreg_tap
init
ovpn_disconnect
ovpn_connect
win_dialup
win_hangup
reg_tap

advapi32

EventUnregister
EventWriteTransfer
EventSetInformation
EventRegister
RegCloseKey
CopySid
IsValidSid
RegCreateKeyExW
RegSetValueExW
RegDeleteValueW
GetTokenInformation
OpenProcessToken
IsWellKnownSid
CheckTokenMembership
GetLengthSid
RegQueryValueExW
CreateWellKnownSid
DuplicateTokenEx
SystemFunction036
RegOpenKeyExW
RegGetValueW

iphlpapi

IcmpCreateFile
Icmp6CreateFile
Icmp6SendEcho2
IcmpSendEcho
GetIfEntry2
IcmpCloseHandle

kernel32

EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
RtlPcToFileHeader
HeapFree
AcquireSRWLockExclusive
SwitchToThread
Sleep
GetCurrentThreadId
GetModuleHandleW
GetLastError
CloseHandle
FindClose
SetEnvironmentVariableW
FindFirstFileW
FindNextFileW
GetTickCount64
GetCurrentProcessId
LoadLibraryA
GetProcAddress
AddVectoredExceptionHandler
SetThreadStackGuarantee
HeapAlloc
GetProcessHeap
HeapReAlloc
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GetTimeZoneInformation
ReadFile
WriteConsoleW
WriteFile
ReleaseSRWLockExclusive
CreateFileW
WaitForSingleObject
GetExitCodeProcess
GetStdHandle
GetConsoleScreenBufferInfo
CreateNamedPipeW
LocalFree
GetConsoleMode
GetCurrentProcess
OpenProcess
lstrlenW
SetConsoleTextAttribute
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
CreatePipe
GetModuleHandleA
WakeAllConditionVariable
SleepConditionVariableSRW
WakeConditionVariable
GetSystemInfo
GetProcessId
TerminateProcess
GetCurrentThread
MultiByteToWideChar
SetLastError
QueryPerformanceFrequency
FormatMessageW
GetCurrentDirectoryW
ReleaseMutex
WaitForSingleObjectEx
CreateMutexA
RtlCaptureContext
RtlLookupFunctionEntry
GetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
GetCommandLineW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFullPathNameW
GetFinalPathNameByHandleW
CreateDirectoryW
WideCharToMultiByte
SetHandleInformation
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateThread
ReadFileEx
SleepEx
WriteFileEx
WaitForMultipleObjects
GetOverlappedResult
CreateEventW
CancelIo
ExitProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
AcquireSRWLockShared
ReleaseSRWLockShared
MoveFileExW
GetProcessTimes
ReadProcessMemory
VirtualQueryEx
GetSystemTimes
GetProcessIoCounters
GlobalMemoryStatusEx
GetDiskFreeSpaceExW
LoadLibraryW
PostQueuedCompletionStatus
FreeLibrary
GetUserDefaultUILanguage
LCIDToLocaleName
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
HeapCreate
AreFileApisANSI
RaiseException
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
RtlVirtualUnwind
LoadLibraryExW
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
UnhandledExceptionFilter

user32

SetWindowLongPtrW
RegisterRawInputDevices
GetAncestor
TranslateAcceleratorW
GetRawInputData
ValidateRect
GetUpdateRect
MapVirtualKeyW
DestroyWindow
RegisterWindowMessageA
SetWindowPos
InvalidateRgn
GetWindowLongW
GetMenu
AdjustWindowRectEx
DestroyIcon
DestroyAcceleratorTable
RegisterClassExW
DefWindowProcW
VkKeyScanW
UnregisterHotKey
CreateIcon
AppendMenuW
SetMenuItemInfoW
ShowWindow
SendInput
PostQuitMessage
GetCursorPos
SetForegroundWindow
TrackPopupMenu
GetWindowPlacement
SystemParametersInfoA
GetDC
MonitorFromWindow
IsProcessDPIAware
ChangeDisplaySettingsExW
SetWindowPlacement
GetMonitorInfoW
GetSystemMenu
EnableMenuItem
SendMessageW
SetWindowLongW
ReleaseCapture
MapVirtualKeyExW
GetKeyboardState
GetKeyboardLayout
CreateWindowExW
EnumDisplayMonitors
SetWindowTextW
GetWindowTextLengthW
GetWindowTextW
GetWindowLongPtrW
MonitorFromRect
GetWindowRect
ClientToScreen
GetActiveWindow
GetClipCursor
GetSystemMetrics
ClipCursor
ShowCursor
TrackMouseEvent
SetCapture
GetTouchInputInfo
ScreenToClient
CloseTouchInputHandle
SetCursor
GetKeyState
LoadCursorW
GetAsyncKeyState
RegisterClassW
IsWindow
RegisterHotKey
CheckMenuItem
IsWindowVisible
SetMenu
MonitorFromPoint
IsIconic
SetWindowDisplayAffinity
FlashWindowEx
GetForegroundWindow
SetCursorPos
RegisterTouchWindow
CreateAcceleratorTableW
CreatePopupMenu
CreateMenu
GetMessageA
DispatchMessageA
EnumChildWindows
MsgWaitForMultipleObjectsEx
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW
GetClientRect
RedrawWindow
ToUnicodeEx
PostMessageW

dwmapi

DwmEnableBlurBehindWindow
DwmExtendFrameIntoClientArea

wininet

InternetGetConnectedState

comctl32

TaskDialogIndirect
SetWindowSubclass
RemoveWindowSubclass
DefSubclassProc

secur32

DeleteSecurityContext
ApplyControlToken
AcquireCredentialsHandleA
InitializeSecurityContextW
FreeCredentialsHandle
EncryptMessage
FreeContextBuffer
AcceptSecurityContext
DecryptMessage
QueryContextAttributesW

crypt32

CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertDuplicateCertificateContext
CertDuplicateStore
CertGetCertificateChain
CertFreeCertificateContext
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertDuplicateCertificateChain

ws2_32

listen
recv
send
getsockname
WSASend
shutdown
closesocket
WSACleanup
WSAStartup
bind
ioctlsocket
connect
select
WSASocketW
getaddrinfo
getsockopt
WSAIoctl
getpeername
freeaddrinfo
setsockopt
WSAGetLastError
accept

shell32

SHAppBarMessage
CommandLineToArgvW
SHGetKnownFolderPath
Shell_NotifyIconGetRect
Shell_NotifyIconW
DragFinish
DragQueryFileW
ShellExecuteW
ShellExecuteExW

ole32

RevokeDragDrop
OleInitialize
RegisterDragDrop
CoTaskMemFree
CoCreateInstance
CoInitializeSecurity
CoTaskMemAlloc
CoSetProxyBlanket
CoInitializeEx
CreateStreamOnHGlobal
CoUninitialize

bcrypt

BCryptGenRandom

ntdll

NtReadFile
NtCancelIoFileEx
RtlNtStatusToDosError
NtQuerySystemInformation
NtQueryInformationProcess
NtWriteFile
NtCreateFile
NtDeviceIoControlFile
RtlGetVersion

psapi

GetModuleFileNameExW
GetPerformanceInfo

pdh

PdhGetFormattedCounterValue
PdhCollectQueryData
PdhRemoveCounter
PdhOpenQueryA
PdhCloseQuery
PdhAddEnglishCounterW

powrprof

CallNtPowerInformation

oleaut32

SetErrorInfo
SysStringLen
GetErrorInfo
SysAllocString
SysFreeString
VariantClear

uxtheme

SetWindowTheme

gdi32

CreateRectRgn
GetDeviceCaps
DeleteObject

api-ms-win-crt-string-l1-1-0

strspn
wcsncmp
strncmp
strcspn
strcmp
strcpy_s
wcslen
_wcsicmp
strlen

api-ms-win-crt-math-l1-1-0

floor
trunc
ceil
_dclass
fabs
log
round
__setusermatherr

api-ms-win-crt-heap-l1-1-0

free
_callnewh
_msize
realloc
malloc
calloc
_set_new_mode

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_exit
_set_app_type
_seh_filter_exe
__p___argc
terminate
__p___argv
_endthreadex
_beginthreadex
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
abort
_register_onexit_function
_crt_atexit
_initialize_onexit_table
exit

api-ms-win-crt-convert-l1-1-0

_ultow_s
wcstol

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 34KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 294KB - Virtual size: 294KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

88cda3149e5c2798545a826c218ad05f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wincore

advapi32

iphlpapi

kernel32

user32

dwmapi

wininet

comctl32

secur32

crypt32

ws2_32

shell32

ole32

bcrypt

ntdll

psapi

pdh

powrprof

oleaut32

uxtheme

gdi32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 6.1MB - Virtual size: 6.1MB

.rdata Size: 3.1MB - Virtual size: 3.1MB

.data Size: 34KB - Virtual size: 39KB

.pdata Size: 294KB - Virtual size: 294KB

_RDATA Size: 512B - Virtual size: 252B

.rsrc Size: 5KB - Virtual size: 5KB

.reloc Size: 42KB - Virtual size: 41KB

.text
Size: 6.1MB - Virtual size: 6.1MB

.rdata
Size: 3.1MB - Virtual size: 3.1MB

.data
Size: 34KB - Virtual size: 39KB

.pdata
Size: 294KB - Virtual size: 294KB

_RDATA
Size: 512B - Virtual size: 252B

.rsrc
Size: 5KB - Virtual size: 5KB

.reloc
Size: 42KB - Virtual size: 41KB