2024-09-29_b1d6ec0880e5774b002e42a158590645_cobalt-strike_megazord

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-29_b1d6ec0880e5774b002e42a158590645_cobalt-strike_megazord
Size

23.5MB
MD5

b1d6ec0880e5774b002e42a158590645
SHA1

08b846bfbf68c6fd6dfb2badf1b257c179c3c9fb
SHA256

f142091e2ead5c50c90f556fe3760fa2d9cad8bfcb8617dd0d2b68a71fc1d9b7
SHA512

c455f94de380e16b4230a45a1990bd168efeacd29ea7f6268f830445e3cb3e535773bda9f0ac3bd22a570c8f5a8e7c31150f01e512e4427442bd0b172108b80e
SSDEEP

393216:cJciEi2swe6er/gLB6OmsFoVt/FmoBlkWFhI5WqZQdhvFUCEuWLjpEp5EJZp9Ha4:cJciTrukOmsFoVt/FmoB6

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-09-29_b1d6ec0880e5774b002e42a158590645_cobalt-strike_megazord

Files

2024-09-29_b1d6ec0880e5774b002e42a158590645_cobalt-strike_megazord
.exe windows:6 windows x64 arch:x64

472a3bef8a28a87effdf7d2abf6ac153

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

sas

SendSAS

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsA
WTSFreeMemory

secur32

LsaFreeReturnBuffer
LsaEnumerateLogonSessions
LsaGetLogonSessionData

kernel32

GetStdHandle
GetFileType
GetFileInformationByHandleEx
WakeAllConditionVariable
SleepConditionVariableSRW
UnmapViewOfFile
LocalFree
GetExitCodeProcess
ConnectNamedPipe
LocalAlloc
CreateFileW
FlushFileBuffers
OpenProcess
WTSGetActiveConsoleSessionId
VirtualAllocEx
WriteProcessMemory
GetModuleHandleA
QueueUserAPC
ResumeThread
GetModuleHandleExA
GetCurrentThreadId
TerminateProcess
SetThreadExecutionState
GetLogicalProcessorInformation
SetFilePointerEx
GlobalSize
WaitForSingleObject
SetHandleInformation
GetUserDefaultLocaleName
SetConsoleMode
GetModuleHandleW
CreateSemaphoreA
SetConsoleCtrlHandler
GetQueuedCompletionStatusEx
SetLastError
GetFinalPathNameByHandleW
TryAcquireSRWLockExclusive
PostQueuedCompletionStatus
ReadFile
GetOverlappedResult
WriteFile
CancelIoEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
CreateNamedPipeW
WakeConditionVariable
LoadLibraryW
FreeLibrary
LoadLibraryExA
CreateFileMappingW
MapViewOfFile
OpenFileMappingW
WriteConsoleW
GetCurrentDirectoryW
GetEnvironmentVariableW
SetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
GetCommandLineW
GetFileInformationByHandle
GetFullPathNameW
FindNextFileW
CreateDirectoryW
FindFirstFileW
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
CreateThread
ReadFileEx
SleepEx
WriteFileEx
WaitForMultipleObjects
CreateEventW
CancelIo
ExitProcess
GetSystemTimeAsFileTime
DeleteFileW
MoveFileExW
RemoveDirectoryW
DeviceIoControl
CreateSymbolicLinkW
GetSystemInfo
GetTickCount64
GlobalMemoryStatusEx
GetDiskFreeSpaceExW
GetDriveTypeW
GetVolumeInformationW
GetProcessTimes
ReadProcessMemory
VirtualQueryEx
GetSystemTimes
GetProcessIoCounters
SetErrorMode
SetThreadErrorMode
GetComputerNameExW
VirtualQuery
ProcessIdToSessionId
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
RtlVirtualUnwind
GetFileSize
GetFileTime
SetFilePointer
ResetEvent
InitializeCriticalSectionEx
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeConditionVariable
SleepConditionVariableCS
SetThreadPriority
CreateSemaphoreW
InitOnceBeginInitialize
InitOnceComplete
TryEnterCriticalSection
GetNativeSystemInfo
InitializeCriticalSection
SetFileTime
GetLogicalDrives
GetCurrentProcessId
RtlLookupFunctionEntry
RtlCaptureContext
GetCurrentThread
FindClose
QueryPerformanceFrequency
FormatMessageW
lstrlenW
ReleaseSemaphore
WaitForMultipleObjectsEx
QueryPerformanceCounter
SetEvent
SwitchToThread
CreateEventA
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
GetTimeZoneInformation
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ReleaseMutex
GetCurrentProcess
GetProcAddress
CloseHandle
CreateMutexA
LoadLibraryA
WaitForSingleObjectEx
AcquireSRWLockExclusive
Sleep
GlobalFree
GetConsoleOutputCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetCommandLineA
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwind
RaiseException
GlobalUnlock
RtlPcToFileHeader
RtlUnwindEx
GetCPInfo
GetStringTypeW
LCMapStringEx
DecodePointer
EncodePointer
WideCharToMultiByte
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GlobalLock
GlobalAlloc
MultiByteToWideChar
HeapReAlloc
HeapAlloc
GetProcessHeap
GetLastError
SetThreadStackGuarantee
AddVectoredExceptionHandler
HeapFree
GetFileSizeEx
ReadConsoleW
OutputDebugStringW
FindFirstFileExW
IsValidCodePage
GetACP
GetConsoleMode
GetOEMCP
SetStdHandle
HeapSize
CopyFileExW
SetEndOfFile

advapi32

LookupPrivilegeValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus
InitializeSecurityDescriptor
SetEntriesInAclW
AllocateAndInitializeSid
FreeSid
SetSecurityDescriptorDacl
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
GetUserNameW
RegDeleteTreeW
OpenProcessToken
GetTokenInformation
RegDeleteKeyExW
CreateProcessAsUserW
CreateProcessWithLogonW
RegCreateKeyExW
RegSetValueExW
SystemFunction036
CreateProcessWithTokenW
ImpersonateLoggedOnUser
DuplicateTokenEx
EqualSid
AdjustTokenPrivileges
IsValidSid
LookupAccountSidW
CopySid
GetLengthSid

ole32

PropVariantClear
ReleaseStgMedium
OleIsCurrentClipboard
OleGetClipboard
OleSetClipboard
OleUninitialize
CoTaskMemAlloc
CoSetProxyBlanket
CoInitializeSecurity
OleInitialize
CoCreateInstance
CoTaskMemFree
CoUninitialize
CoInitializeEx

user32

SetForegroundWindow
TrackPopupMenu
OpenInputDesktop
SetThreadDesktop
CloseDesktop
GetThreadDesktop
GetUserObjectInformationA
PeekMessageA
SendMessageA
DefWindowProcW
GetAsyncKeyState
GetClipboardOwner
SetClipboardViewer
ChangeClipboardChain
RegisterClipboardFormatA
CountClipboardFormats
EnumClipboardFormats
GetClipboardFormatNameA
GetKeyboardState
RegisterClassExW
RegisterWindowMessageA
PostMessageA
ExitWindowsEx
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
RegisterClipboardFormatW
SendInput
GetForegroundWindow
GetWindowThreadProcessId
GetWindowLongW
AdjustWindowRectEx
DestroyIcon
PostMessageW
GetUpdateRect
PostThreadMessageW
GetKeyboardLayout
AttachThreadInput
VkKeyScanExW
GetKeyState
MapVirtualKeyW
PeekMessageW
ValidateRect
GetRawInputData
RedrawWindow
BlockInput
DestroyWindow
RegisterClassW
SetMenuItemInfoW
DrawIconEx
AppendMenuW
CreateAcceleratorTableW
DestroyAcceleratorTable
VkKeyScanW
CreatePopupMenu
CreateMenu
RegisterRawInputDevices
SetWindowLongPtrW
CreateWindowExW
CreateIcon
DispatchMessageW
GetMessageW
SetWindowTextW
GetClipboardData
IsClipboardFormatAvailable
ReleaseDC
GetDC
GetIconInfo
FindWindowExA
GetCursorPos
GetSystemMetrics
LockWorkStation
EnumDisplayDevicesW
EnumDisplaySettingsExW
GetCursorInfo
EnumDisplaySettingsW
CreateWindowExA
RegisterClassExA
LoadCursorA
CallNextHookEx
UnhookWindowsHookEx
PostQuitMessage
SendMessageW
CheckMenuItem
MsgWaitForMultipleObjectsEx
InvalidateRgn
SetWindowPos
MapVirtualKeyExW
GetMenu
MessageBoxW
ChangeDisplaySettingsExW
PostThreadMessageA
ShowWindow
FindWindowA
DefWindowProcA
SetWindowsHookExA
GetMessageA
TranslateMessage
DispatchMessageA
ToUnicodeEx

ntdll

NtCancelIoFileEx
NtCreateFile
NtDeviceIoControlFile
RtlNtStatusToDosError
NtWriteFile
RtlGetVersion
NtQueryInformationProcess
NtQuerySystemInformation
NtReadFile

bcrypt

BCryptGenRandom

crypt32

CertNameToStrA
CertCloseStore
CryptHashCertificate
CertOpenSystemStoreA
CertEnumCertificatesInStore

d3d11

D3D11CreateDevice

dxgi

CreateDXGIFactory1

gdi32

DeleteDC
DeleteObject
GetObjectA
GetBitmapBits
CreateCompatibleDC
CreateDIBSection
CreateDCW
SelectObject
BitBlt
GetDIBits
CreateCompatibleBitmap

iphlpapi

GetIfEntry2
GetIfTable2
FreeMibTable
GetAdaptersAddresses
SendARP

netapi32

NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetUserEnum

oleaut32

GetErrorInfo
SysAllocString
VariantClear
SysFreeString
SysStringLen

pdh

PdhCollectQueryData
PdhOpenQueryA
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhCloseQuery
PdhRemoveCounter

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo

shell32

SHAddToRecentDocs
Shell_NotifyIconGetRect
Shell_NotifyIconW
CommandLineToArgvW
ShellExecuteW
SHGetKnownFolderPath
ShellExecuteExW

ws2_32

WSAIoctl
socket
getaddrinfo
freeaddrinfo
WSAStartup
sendto
getsockname
recvfrom
getpeername
recv
send
WSASend
WSACleanup
accept
WSASocketW
ioctlsocket
setsockopt
bind
closesocket
connect
listen
getsockopt
shutdown
WSAGetLastError

comctl32

DefSubclassProc
RemoveWindowSubclass
SetWindowSubclass

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

Sections

.text
Size: 14.4MB - Virtual size: 14.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8.6MB - Virtual size: 8.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 365KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 249KB - Virtual size: 248KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

472a3bef8a28a87effdf7d2abf6ac153

Headers

DLL Characteristics

File Characteristics

Imports

sas

wtsapi32

secur32

kernel32

advapi32

ole32

user32

ntdll

bcrypt

crypt32

d3d11

dxgi

gdi32

iphlpapi

netapi32

oleaut32

pdh

powrprof

psapi

shell32

ws2_32

comctl32

userenv

Sections

.text Size: 14.4MB - Virtual size: 14.4MB

.rodata Size: 2KB - Virtual size: 2KB

.rdata Size: 8.6MB - Virtual size: 8.6MB

.data Size: 36KB - Virtual size: 365KB

.pdata Size: 249KB - Virtual size: 248KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 73KB - Virtual size: 73KB

.reloc Size: 136KB - Virtual size: 136KB

.text
Size: 14.4MB - Virtual size: 14.4MB

.rodata
Size: 2KB - Virtual size: 2KB

.rdata
Size: 8.6MB - Virtual size: 8.6MB

.data
Size: 36KB - Virtual size: 365KB

.pdata
Size: 249KB - Virtual size: 248KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 73KB - Virtual size: 73KB

.reloc
Size: 136KB - Virtual size: 136KB