{
	"id": "e17af569-4a71-4a1c-84a1-21c93055db05",
	"created_at": "2026-04-06T00:12:53.504661Z",
	"updated_at": "2026-04-10T03:21:16.314426Z",
	"deleted_at": null,
	"sha1_hash": "0ab198ace7a13fd3aa0ab6e3932ad0397d26ac29",
	"title": "TrickBot Crews New CobaltStrike Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1171603,
	"plain_text": "TrickBot Crews New CobaltStrike Loader\r\nBy Jason Reaves\r\nPublished: 2021-04-05 · Archived: 2026-04-05 20:56:59 UTC\r\n4 min read\r\nApr 5, 2021\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nRecently we stumbled upon a new CS loader being leveraged by an actor involved in TrickBots CS and ransom\r\noperations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 1 of 8\n\nRef: Virustotal.com\r\nIn the screenshot above we can see domains that have been leveraged by TrickBots crew for running their\r\nCobaltStrike infections in the past but another sample recently showed up which is a new loader which as we will\r\nsee later is for delivering CobaltStrike as well but in a new way than their previous deliveries by leveraging\r\nGitHub for hosting the encoded data.\r\nNew Loader\r\nMD5: 5b203929f9e42c6d14b7153c5f11d387\r\nSHA1: 4e6a42b0da1185a4331e085ee68b64f61e1d9e83\r\nSHA256: 0234f80c6fd3768f9619d6fcd50d775ec686719fcc665007bfd1606bbe787744\r\nMost of the important strings are obfuscated:\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 2 of 8\n\nString stored in data\r\nString loaded on stack\r\nIn both cases the strings are ultimately decoded by XORing with a single byte and subtracting the iterator+1 from\r\nthe value, in these cases the XOR key is simply 0 however. An example of IDA code for decoding the various\r\nstrings can be found below:\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 3 of 8\n\ndef decode(s,k):\r\n blob = bytearray(s[5:])\r\n for i in range(len(blob)):\r\n blob[i] ^= k\r\n blob[i] = (blob[i] - (i+1)) \u0026 0xff\r\n return blob\r\n def tdecode(addr):\r\n out = \"\"\r\n while GetMnem(addr) == \"mov\" and GetOperandValue(addr,1) != 0:\r\n out += chr(GetOperandValue(addr,1))\r\n addr = idc.NextHead(addr)\r\n return decode(out,0)\r\nA partial listing of relevant strings can be found below:\r\nAsderfolkij092/laughing-pancake/main/profile.jpg\r\nCurl\r\nGET\r\nraw.githubusercontent.com\r\nNtAllocateVirtualMemory\r\nwininet.dll\r\nLoadLibraryW\r\nC:\\Windows\\System32\\ntdll.dll\r\nHttpSendRequestW\r\nlogo.png\r\nC:\\Windows\\System32\\kernel32.dll\r\nThe sample will manually load kernel32.dll and ntdll.dll into memory to resolve some of its functions but will\r\nutilize LoadLibraryW for loading wininet.dll. The sample will also utilize VirtualAllocExNuma for loading the\r\nDLLs into memory:\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 4 of 8\n\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAfter resolving the necessary dependencies the loader will simply attempt to download a file that will be decoded\r\nand then executed in memory. As can be seen in the partial listing of strings above this file was being hosted on\r\nGitHub at one time:\r\nraw.githubusercontent.com/Asderfolkij092/laughing-pancake/main/profile.jpg\r\nThis account is no longer active and appears to of been deleted possibly eluding to the actors cleaning up after\r\nthemselves after leveraging their campaigns. We did manage to discover an active account being leveraged\r\nhowever:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 5 of 8\n\nRef: github.com\r\nThe file that will be used is in the ‘ubiquitous-sniffle’ repository:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 6 of 8\n\nRef: github.com\r\nThe safety.png file is not an image at all, it is actually just a small binary blob of data:\r\n00000000: 00b9 e031 3244 200d 1c02 71cc 1058 8486 ...12D ...q..X..\r\n00000010: 4023 3018 22c4 3364 228c 8878 2e0a d488 @#0.\".3d\"..x....\r\n00000020: 8746 0c81 353e 7614 5903 630d 1920 49da .F..5\u003ev.Y.c.. I.\r\n00000030: 3038 7186 4822 28f1 d8a8 c132 a110 9031 08q.H\"(....2...1\r\n00000040: 6d60 3c68 13a7 c018 1379 e2c1 7113 cf49 m`\u003ch.....y..q..I\r\n00000050: 8132 764e 242a f046 cc92 3533 1a11 28e4 .2vN$*.F..53..(.\r\n00000060: 86c1 2057 0d12 11e8 52e0 901c 51bb 52c4 .. W....R...Q.R.\r\n\u003c...\u003e\r\nAfter we decode this blob of data we are left with a C-style string of hex bytes which appear at first glance to be\r\nshellcode:\r\nxFC\\x48\\x83\\xE4\\xF0\\xE8\\xC8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x\r\nConverting to bytes:\r\n\u003c...\u003e\r\n\\x82\\xff\\xff\\xff/gifs20210122.dat\\x00\\xb4\\xeb\\xee\\x92?\\xfe\\xfc\\x9f\\xce\\x92{\\x14\\xe3P\\xd9\\xef\\x89\\xd5\\\r\nWhich will download a 64bit CobaltStrike beacon:\r\n{ 'C2_CHUNK_POST': '0',\r\n 'C2_POSTREQ': '[(\\'_HEADER\\', 0, \"bytearray(b\\'Accept: */*\\')\"), (\\'_HEADER\\', 0, \"bytearray(b\\'C\r\n 'C2_RECOVER': \"b'04000000010000002400000008000000010000008c'\",\r\n 'C2_REQUEST': '[(\\'_HEADER\\', 0, \"bytearray(b\\'Accept: image/webp,*/*\\')\"), (\\'_HEADER\\', 0, \"byt\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 7 of 8\n\n'C2_VERB_GET': 'GET',\r\n 'C2_VERB_POST': 'POST',\r\n 'CRYPTO_sCHEME': '0',\r\n 'DOMAINS': 'subs.rainbowmango.info ,/share/pink,food.rainbowmango.info,/share/pink',\r\n 'HostHeader': '',\r\n 'ITTER': '55',\r\n 'KillDate': '0',\r\n 'MAXGET': '2097468',\r\n 'ObfSectionsInfo': \"b'c0020072b8030000c00300888504000090040034b0040000c004005ecf04'\",\r\n 'PORT': '443',\r\n 'PROTOCOL': '8',\r\n 'PROXY_BEHAVIOR': '2',\r\n 'PUBKEY': \"b'30819f300d06092a864886f70d010101050003818d0030818902818100a70991d69d816a601ffa809764\r\n 'ProcInject_AllocationMethod': '0',\r\n 'ProcInject_Execute': '\\x01\\x03\\x06\\x10\\x00\\x00\\x00\\x00\\nntdll.dll\\x00\\x00\\x00\\x00\\x13RtlUserThre\r\n 'ProcInject_MinAllocSize': '16535',\r\n 'ProcInject_Prepend_x64': '',\r\n 'ProcInject_Prepend_x86': '',\r\n 'ProcInject_StartRWX': '4',\r\n 'ProcInject_Stub': \"b'0ce2f55444e4793516b5afe967be9255'\",\r\n 'ProcInject_UseRWX': '32',\r\n 'SLEEPTIME': '6145',\r\n 'SPAWNTO': '',\r\n 'SPAWNTO_X64': '%windir%\\\\sysnative\\\\gpupdate.exe',\r\n 'SPAWNTO_X86': '%windir%\\\\syswow64\\\\gpupdate.exe',\r\n 'SUBMITURI': '/us',\r\n 'USERAGENT': 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:74.0) Gecko/2010010101 Firefox/74.0',\r\n 'UsesCookies': '1',\r\n 'WATERMARK': '1359593325',\r\n 'bCFGCaution': '0',\r\n 'bStageCleanup': '0',\r\n 'textSectEnd': '177872'}\r\nReferences\r\n1. https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocexnuma\r\n2. https://virustotal.com\r\n3. https://github.com\r\nSource: https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c"
	],
	"report_names": [
		"trickbot-crews-new-cobaltstrike-loader-32c72b78e81c"
	],
	"threat_actors": [],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ab198ace7a13fd3aa0ab6e3932ad0397d26ac29.pdf",
		"text": "https://archive.orkl.eu/0ab198ace7a13fd3aa0ab6e3932ad0397d26ac29.txt",
		"img": "https://archive.orkl.eu/0ab198ace7a13fd3aa0ab6e3932ad0397d26ac29.jpg"
	}
}