Cobalt Strike Loader Analysis

Cobalt Strike Loader Analysis

This blog post is based on a presentation about Reverse engineer malware code written in spaces and tabs, given by Sorot Panichprecha at SANS Community Event in Kuala Lumpur, Malaysia 2024. This blog post, will recreate the concepts presented in the talk for learning purposes.

The malicious samples were tweeted by @cyb3rops at Jul 12, 2022. You can download the samples from this link: https://bazaar.abuse.ch/sample/858f567340cee8755dbd745b6afd9adc78a998bf2cbfda85e6302197994c577c/#iocs

We discover most of the code is only Spaces and Tabs and interesting things is that it only have two line to do the operation.

This is the code that will do the deobfuscation all the Spaces and Tabs.

Technique that execute the "iex"

Decrypts and dumps the configuration of Cobalt Strike Windows beacons (PE files), shellcode and memory dumps.

Decoding Cobalt Strike Payload

https://www.virustotal.com/gui/file/858f567340cee8755dbd745b6afd9adc78a998bf2cbfda85e6302197994c577c/detection

Command & Control (C2) Address: http://49.232.222[.]58:9999/mT6e

Comments