cobaltstrike | 4b89b462b630c3cf9904a6b6bf25521203b262c52a2afacc661312445c21dc55

Sharing

Copy URL

Twitter E-mail

General

Target

4b89b462b630c3cf9904a6b6bf25521203b262c52a2afacc661312445c21dc55
Size

378KB
MD5

94e576d6d4aa4c8c0738e86858b43e36
SHA1

63dd259b4bb74057820c67a617e21692030e283d
SHA256

4b89b462b630c3cf9904a6b6bf25521203b262c52a2afacc661312445c21dc55
SHA512

592ca37103c8eb9fdce637f5b919b93eabddd7e142af97880e34be92a58d4d84c16e28800290e5866f38a1010695e3654774370a8ee814da66ca2e52886de205
SSDEEP

6144:wcn/cSmKUdN8PtgLM63vyJNRkZHBvZp0qoOCu2pkojnZHjeY/V:wYXgLv/y/YhsqILnZHjv

Score

10^/10

cobaltstrike

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
sample	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4b89b462b630c3cf9904a6b6bf25521203b262c52a2afacc661312445c21dc55

Files

4b89b462b630c3cf9904a6b6bf25521203b262c52a2afacc661312445c21dc55
.exe windows:6 windows x64 arch:x64

e5ebe672f861aafc08fa3f855fe6f76c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

xorshellload.pdb

Imports

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

kernel32

UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
SetUnhandledExceptionFilter
VirtualAlloc
CreateThread
WaitForSingleObject
CloseHandle
GetLastError
AddVectoredExceptionHandler
SetThreadStackGuarantee
GetCurrentThread
QueryPerformanceCounter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
GetCurrentProcess
GetStdHandle
GetCurrentProcessId
HeapFree
HeapReAlloc
lstrlenW
ReleaseMutex
GetProcessHeap
HeapAlloc
GetConsoleMode
GetModuleHandleW
MultiByteToWideChar
WriteConsoleW
WideCharToMultiByte
IsProcessorFeaturePresent
GetModuleHandleA
GetProcAddress
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetSystemTimeAsFileTime
GetCurrentThreadId

ntdll

NtWriteFile
RtlNtStatusToDosError

vcruntime140

_CxxThrowException
memcmp
__C_specific_handler
__current_exception_context
memmove
memset
memcpy
__CxxFrameHandler3
__current_exception

api-ms-win-crt-runtime-l1-1-0

_get_initial_narrow_environment
_initterm
_initterm_e
_initialize_narrow_environment
_exit
_configure_narrow_argv
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
exit
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 269KB - Virtual size: 269KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e5ebe672f861aafc08fa3f855fe6f76c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-synch-l1-2-0

kernel32

ntdll

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 101KB - Virtual size: 100KB

.rdata Size: 269KB - Virtual size: 269KB

.data Size: 512B - Virtual size: 768B

.pdata Size: 5KB - Virtual size: 5KB

.reloc Size: 1024B - Virtual size: 768B

.text
Size: 101KB - Virtual size: 100KB

.rdata
Size: 269KB - Virtual size: 269KB

.data
Size: 512B - Virtual size: 768B

.pdata
Size: 5KB - Virtual size: 5KB

.reloc
Size: 1024B - Virtual size: 768B