2024-10-14_00b328dd299ecb27e2eeaf557454dddb_cobalt-strike_megazord

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-14_00b328dd299ecb27e2eeaf557454dddb_cobalt-strike_megazord
Size

27.0MB
MD5

00b328dd299ecb27e2eeaf557454dddb
SHA1

d83face53c003a2c63144e00e682392f7ab760db
SHA256

437fc5b816531a1a942704b93c5010ffeaacbf21de3a5a611798e137946d13be
SHA512

dacab94108e39e493a298a81a5022e1cfc976f63a8d86de3496bf2f6569f8c689e8e42687ba4a0ea16b1e09cfeafc4789cdfa2c331a006a441e1b9e2f8efa883
SSDEEP

196608:vi7qlItAdyz6Bs/JEPaYFWH3pNLyVN44hUx/VQfO8PkJ963T:4AdyzRhLHZNLyVG4hUsfVPkJsD

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-10-14_00b328dd299ecb27e2eeaf557454dddb_cobalt-strike_megazord

Files

2024-10-14_00b328dd299ecb27e2eeaf557454dddb_cobalt-strike_megazord
.exe windows:6 windows x64 arch:x64

6116ead774d58d0c1fad0c71f3bf249a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

sshxterm.pdb

Imports

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
WakeByAddressSingle
WaitOnAddress

ws2_32

WSASetLastError
closesocket
WSASocketW
bind
connect
ioctlsocket
listen
accept
getsockname
getpeername
WSASend
shutdown
recv
recvfrom
send
sendto
getaddrinfo
WSAIoctl
freeaddrinfo
getsockopt
socket
WSAGetLastError
ntohs
select
gethostbyname
WSAStartup
WSACleanup
htonl
htons
inet_addr
inet_ntoa
gethostbyaddr
getservbyport
getservbyname
setsockopt

kernel32

QueryPerformanceFrequency
GetModuleFileNameW
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
WideCharToMultiByte
GetCurrentThread
GlobalUnlock
GlobalSize
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
Sleep
GetNativeSystemInfo
GetSystemInfo
GetProcAddress
GetModuleHandleA
GetUserPreferredUILanguages
GetComputerNameExW
FindNextFileW
LCIDToLocaleName
FormatMessageW
GetModuleHandleW
LoadLibraryA
WakeAllConditionVariable
lstrlenW
SleepConditionVariableSRW
UnhandledExceptionFilter
GetUserDefaultUILanguage
GetFileAttributesW
CreateFileW
OutputDebugStringA
OutputDebugStringW
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
LoadLibraryExW
RtlUnwindEx
GetEnvironmentVariableW
RtlPcToFileHeader
LoadLibraryW
VirtualLock
VirtualUnlock
FindClose
GetFullPathNameW
CreateMutexA
WaitForSingleObjectEx
GetTempPathW
CreateThread
WriteConsoleW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
CreateProcessW
GetSystemDirectoryW
ReadFileEx
CreateNamedPipeW
LoadLibraryExA
ExitProcess
FreeLibrary
GetProcessHeap
SetEnvironmentVariableW
GetCurrentThreadId
GetLastError
RaiseException
GetFileInformationByHandle
GetConsoleMode
SetConsoleMode
GetLogicalProcessorInformation
DuplicateHandle
GetFinalPathNameByHandleW
SetHandleInformation
DeleteFileW
CreateDirectoryW
GetFileInformationByHandleEx
ReleaseMutex
HeapReAlloc
GetSystemTimePreciseAsFileTime
InitializeCriticalSectionAndSpinCount
SleepEx
WriteFileEx
SetFilePointerEx
SetFileInformationByHandle
PostQueuedCompletionStatus
GetCommandLineW
CreateIoCompletionPort
SetFileCompletionNotificationModes
GetEnvironmentStringsW
GetQueuedCompletionStatusEx
GetCurrentDirectoryW
WriteFile
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
SetLastError
RtlVirtualUnwind
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualFree
GetStdHandle
GetFileType
CloseHandle
RtlLookupFunctionEntry
RtlCaptureContext
GetACP
FindFirstFileW
SetWaitableTimer
CreateWaitableTimerExW
SwitchToThread
SetThreadStackGuarantee
AddVectoredExceptionHandler
GetSystemDirectoryA
FormatMessageA
CompareStringOrdinal
DeleteProcThreadAttributeList
FreeEnvironmentStringsW
GetTimeZoneInformationForYear
HeapAlloc
HeapFree
GetCurrentProcessId
GetSystemTimeAsFileTime
EncodePointer
GetWindowsDirectoryW
WaitForSingleObject
SwitchToFiber
DeleteFiber
CreateFiberEx
GetSystemTime
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
ConvertFiberToThread
ConvertThreadToFiberEx
ReadConsoleA
ReadConsoleW

user32

SetWindowPos
InvalidateRgn
LoadCursorW
GetProcessWindowStation
GetUserObjectInformationW
DefWindowProcW
SetCursorPos
DrawTextW
FillRect
GetWindowDC
OffsetRect
GetMenuBarInfo
PostQuitMessage
TrackPopupMenu
DrawIconEx
CheckMenuItem
GetWindowPlacement
AppendMenuW
InsertMenuW
CreateAcceleratorTableW
DestroyAcceleratorTable
CreatePopupMenu
GetActiveWindow
PostThreadMessageW
FlashWindowEx
CreateMenu
MapVirtualKeyW
SetWindowPlacement
DestroyMenu
RemoveMenu
DrawMenuBar
SetMenu
GetMenuItemInfoW
GetUpdateRect
ValidateRect
SetMenuItemInfoW
DispatchMessageA
PeekMessageW
GetMessageA
DispatchMessageW
TranslateMessage
CreateWindowExW
ToUnicodeEx
AdjustWindowRectEx
GetMenu
GetMessageW
GetKeyboardLayout
SendInput
SetForegroundWindow
GetMonitorInfoW
SetWindowTextW
GetRawInputData
MonitorFromPoint
EnumDisplayMonitors
SetPropW
SystemParametersInfoA
DestroyIcon
MapVirtualKeyExW
GetKeyState
GetAsyncKeyState
GetKeyboardState
SetWindowDisplayAffinity
ClipCursor
GetClipCursor
ShowCursor
SetWindowLongW
EnableMenuItem
GetSystemMenu
SystemParametersInfoW
IsWindow
SetCapture
SetWindowLongPtrW
MsgWaitForMultipleObjectsEx
RegisterRawInputDevices
IsProcessDPIAware
SetCursor
ChangeDisplaySettingsExW
SetParent
MapWindowPoints
RegisterWindowMessageA
GetWindowLongPtrW
GetParent
SetWindowRgn
RegisterClassExW
FindWindowExW
IsWindowEnabled
EnableWindow
MonitorFromWindow
GetCursorPos
CloseTouchInputHandle
IsIconic
GetClientRect
GetTouchInputInfo
TrackMouseEvent
GetSystemMetrics
MonitorFromRect
ClientToScreen
RedrawWindow
RegisterTouchWindow
AdjustWindowRect
ScreenToClient
MessageBoxW
ShowWindow
EnumChildWindows
GetWindowTextW
IsWindowVisible
ReleaseDC
GetWindowTextLengthW
CloseClipboard
GetDC
GetClipboardData
SetClipboardData
IsClipboardFormatAvailable
RegisterClipboardFormatW
OpenClipboard
EmptyClipboard
GetWindowLongW
RemoveClipboardFormatListener
AddClipboardFormatListener
CreateIcon
GetWindowRect
SendMessageW
TranslateAcceleratorW
DestroyWindow
GetForegroundWindow
ReleaseCapture
PostMessageW

comctl32

RemoveWindowSubclass
DefSubclassProc
SetWindowSubclass
TaskDialogIndirect

ole32

CoTaskMemAlloc
CoInitializeEx
CoIncrementMTAUsage
CoCreateInstance
RevokeDragDrop
OleInitialize
CoTaskMemFree
CoUninitialize
RegisterDragDrop

shell32

DragFinish
DragQueryFileW
SHAppBarMessage
SHGetKnownFolderPath
ShellExecuteW
SHCreateItemFromParsingName

gdi32

CreateRectRgn
SetTextColor
CreateSolidBrush
SetBkMode
DeleteObject
CombineRgn
CreateCompatibleDC
CreateDIBitmap
GetDIBits
BitBlt
CreateDIBSection
SelectObject
DeleteDC
GetObjectW
GetDeviceCaps

dwmapi

DwmSetWindowAttribute
DwmGetWindowAttribute
DwmEnableBlurBehindWindow

advapi32

CryptGenRandom
RegQueryValueExW
ImpersonateAnonymousToken
RevertToSelf
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
SystemFunction036
RegOpenKeyExW
EventRegister
EventSetInformation
RegGetValueW
RegCloseKey
EventUnregister
EventWriteTransfer

iphlpapi

GetAdaptersAddresses

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

oleaut32

GetErrorInfo
SysStringLen
SysFreeString
SetErrorInfo

shlwapi

SHCreateMemStream

ntdll

RtlNtStatusToDosError
NtCancelIoFileEx
NtReadFile
NtWriteFile
NtCreateFile
NtDeviceIoControlFile
RtlGetVersion

bcrypt

BCryptGenRandom

crypt32

CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CertOpenSystemStoreW

api-ms-win-crt-math-l1-1-0

log
fmod
trunc
exp
exp2f
pow
log2
ceil
roundf
fmaf
fma
truncf
powf
__setusermatherr
floorf
round
floor
log2f

api-ms-win-crt-runtime-l1-1-0

strerror_s
_errno
_exit
_seh_filter_exe
_set_app_type
_configure_narrow_argv
raise
signal
_initialize_narrow_environment
strerror
abort
terminate
_get_initial_narrow_environment
_initterm
_initterm_e
_crt_atexit
exit
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_beginthreadex
_register_onexit_function
_initialize_onexit_table

api-ms-win-crt-string-l1-1-0

strncmp
tolower
isdigit
strcpy_s
strcat_s
strncpy
strncpy_s
wcsncmp
strspn
wcscmp
strcspn
_wcsicmp
isspace
strlen
wcslen
strcmp

api-ms-win-crt-convert-l1-1-0

atoi
wcstol
_wtoi
strtol
_ultow_s
strtoul

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
realloc
calloc
_set_new_mode

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_stat64i32

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_time64

api-ms-win-crt-stdio-l1-1-0

fclose
__stdio_common_vsprintf
__stdio_common_vsprintf_s
__p__commode
fwrite
_set_fmode
_wfopen
setvbuf
fopen
__acrt_iob_func
__stdio_common_vfprintf
feof
__stdio_common_vsscanf
ferror
fflush
fputs
ftell
fgets
__stdio_common_vswprintf
_fileno
fseek
fread
_setmode

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 19.2MB - Virtual size: 19.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6.8MB - Virtual size: 6.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 837KB - Virtual size: 837KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6116ead774d58d0c1fad0c71f3bf249a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bcryptprimitives

api-ms-win-core-synch-l1-2-0

ws2_32

kernel32

user32

comctl32

ole32

shell32

gdi32

dwmapi

advapi32

iphlpapi

api-ms-win-core-winrt-l1-1-0

oleaut32

shlwapi

ntdll

bcrypt

crypt32

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 19.2MB - Virtual size: 19.2MB

.rdata Size: 6.8MB - Virtual size: 6.8MB

.data Size: 42KB - Virtual size: 61KB

.pdata Size: 837KB - Virtual size: 837KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 41KB - Virtual size: 40KB

.reloc Size: 97KB - Virtual size: 97KB

.text
Size: 19.2MB - Virtual size: 19.2MB

.rdata
Size: 6.8MB - Virtual size: 6.8MB

.data
Size: 42KB - Virtual size: 61KB

.pdata
Size: 837KB - Virtual size: 837KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 41KB - Virtual size: 40KB

.reloc
Size: 97KB - Virtual size: 97KB