CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Tags
cmtmf-attack-pattern: Code Injection
attack-pattern: Code Injection - T1540 Impersonation - T1656 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004
Show in Graph
Common Information
Type Value
UUID 7e4ff5af-8065-46ec-a939-4dd875ceef45
Fingerprint f5712280ca99ea3
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 5, 2019, 12:38 a.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 11, 2024, 10:09 p.m.
Headline {"®eve®se": "Enginee®ing"}
Title CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Detected Hints/Tags/Attributes 18/2/13
Source URLs
Redirection Url
Details Source https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
URL Provider
Details Provider Source level domain
Details blogspot.com tccontre.blogspot.com
Attributes
Details Type #Events CTI Value
Details Domain 87 
app.any.run
Details File 14 
beacon.dll
Details File 1 
virus_load.exe
Details File 14 
debug.exe
Details md5 1 
e2d265ced204eb807cb5ed0093500205
Details md5 1 
5cd3ba72cda97276bb77c42e42e2fb7c
Details sha1 1 
9e16e2de4e4da93965b3cbcd19bbaf32b490bf63
Details sha1 1 
19359d10155d98414c03951fd4871c0b387f7dd7
Details sha256 1 
3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88
Details sha256 1 
31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd
Details Url 1 
https://app.any.run/tasks/dc833ad4-508a-42eb-9bc2-cef42a558e89
Details Url 1 
https://www.virustotal.com/gui/file/3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88/detection
Details Yara rule 1 
import "pe"

rule unpack_CobaltStrike_beacon_dll_ {
	meta:
		author = "tcontre"
		description = "detecting Cobaltstrike malware"
		date = "2019-11-05"
		sha256 = "31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd"
	strings:
		$mz = { 4D 5A }
		$shell = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 81 C3 55 91 00 00 FF D3 }
		$code2 = { 64 A1 30 00 00 00 89 45 C0 8B 45 C0 8B 40 0C 89 }
		$code3 = { 8B 45 8C C1 C8 0D 89 45 8C 8B 45 88 0F BE 00 03 }
		$s1 = "cdn.%x%x.%s" fullword
		$s2 = "www6.%x%x.%s" fullword
		$s3 = "%s.2xxxxx.xxxxx.%x%x.%s" fullword
	condition:
		($mz at 0) and ($shell at 0) or 2 of ($code*) and 1 of ($s*)
}