Medellin_a64.exe Trojan CobaltStrike Analysis
| Online Virus Checker | v.1.0.168.174 |
| DB Version: | 2024-03-01 22:00:14 |
Trojan.Win64.CobaltStrike.tr
Cobalt Strike is a paid penetration testing tool used by security professionals to deploy an agent called 'Beacon' on a target system. Beacon provides various functionalities to the operator, including command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon operates in-memory and is file-less, loading itself into a process's memory after exploiting vulnerabilities or executing a shellcode loader, avoiding disk storage. It supports communication and staging over multiple protocols, including HTTP, HTTPS, DNS, SMB named pipes, and both forward and reverse TCP connections, with the capability for daisy-chaining. Additionally, Cobalt Strike includes the Artifact Kit, a toolkit for creating shellcode loaders.
| File | medellin_a64.exe |
| Checked | 2024-03-01 22:45:37 |
| MD5 | 02e9c672ea01108f756a99fce1565d13 |
| SHA1 | 3bb4fa1d09facebca7020a6ea106349bfe3cd732 |
| SHA256 | e537a0e18d56805e3c516ad561030e78cc85164df51ee9a0d4df0f51d83c6806 |
| SHA512 | 0c3d987bea551145ee1f0b215163dd30ac4f80747cefc4435b9bf745a0bd6692cd547dfcf0e744aa40ad2f42b6ae39fdda41965dba228d3305d7977e55c94bce |
| Imphash | 147442e63270e287ed57d33257638324 |
| File Size | 19456 bytes |
Trojan.Win64.CobaltStrike.tr Removal
Gridinsoft has the capability to identify and eliminate Trojan.Win64.CobaltStrike.tr without requiring further user intervention.
- Start by downloading Gridinsoft Anti-Malware to your computer.
- Double-click on the gsam-en-install.exe file and follow the on-screen instructions to install the program.
- Once the installation of Gridinsoft Anti-Malware is complete, the program will open on the Scan screen.
- Click on the "Standard Scan" button.
- After the scanning process is finished, click on "Clean Now" to remove any detected threats.
- If prompted, restart your system to complete the removal process.
Portable Executable Info
| Image Base: | 0x00400000 |
| Entry Point: | 0x004014c0 |
| Compilation: | 1970-01-01 00:00:00 |
| Checksum: | 0x0000969b (Actual: 0x0000969b) |
| OS Version: | 4.0 |
| PEiD: | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows |
| Sign: | The PE file does not contain a certificate table. |
| Sections: | 9 |
| Imports: | KERNEL32, msvcrt, |
| Exports: | 0 |
| Resources: | 0 |
Sections
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Entropy |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000020a8 | 0x00002200 | 3040ba596609d0f7ba50ac030468b13e | 5.92 |
| .data | 0x00004000 | 0x000004f0 | 0x00000600 | 609326129f49cdc37213ae90bdfef8b0 | 5.82 |
| .rdata | 0x00005000 | 0x00000910 | 0x00000a00 | b02c91451e7abad85f4a5bbe48fd6333 | 4.47 |
| .pdata | 0x00006000 | 0x000002b8 | 0x00000400 | ad5ec754cf0e204a3a3c39436081f3bc | 2.97 |
| .xdata | 0x00007000 | 0x00000238 | 0x00000400 | 6ce9e303fb86766d702ecb2b174cf348 | 2.63 |
| .bss | 0x00008000 | 0x000009d0 | 0x00000000 | d41d8cd98f00b204e9800998ecf8427e | 0.00 |
| .idata | 0x00009000 | 0x000008d8 | 0x00000a00 | ec8dedb62953693cf02784f71f75d547 | 3.71 |
| .CRT | 0x0000a000 | 0x00000068 | 0x00000200 | 52d79e9aecf5d5c3145d3ec54aa197a8 | 0.27 |
| .tls | 0x0000b000 | 0x00000010 | 0x00000200 | bf619eac0cdf3f68d496ea9344137e8b | 0.00 |
