{
	"id": "a25e3554-e6fe-4200-89e4-1b47c0b0c9d2",
	"created_at": "2026-04-06T00:21:44.411755Z",
	"updated_at": "2026-04-10T03:21:07.224905Z",
	"deleted_at": null,
	"sha1_hash": "a1e695e9787e11f85b3c078601dd011cf6e5b475",
	"title": "CobaltStrike - beacon.dll : Your No Ordinary MZ Header",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 994280,
	"plain_text": "CobaltStrike - beacon.dll : Your No Ordinary MZ Header\r\nPublished: 2019-11-05 · Archived: 2026-04-05 20:04:44 UTC\r\nToday I found some interesting sample that was flag as cobaltstrike sample in app.any.run (links are below). The\r\nexecution of this file is quite interesting how it evade detection by running multi-component files and maximize the\r\nDOS header to execute small shellcode.\r\nSFX CODE:\r\nThis sample start with a SFX file that contains an executable name as \"virus_load.exe\" and a blob file name as\r\n\"k2Hw\". The sfx will run the virus_load.exe base on the setup script of the sfx file.\r\nfigure 1: the sfx to execute virus_load.exe\r\nvirus_load.exe and the k2Hw files:\r\nthis part of execution is also interesting, because virus_load.exe is only a loader of \"k2Hw\". The said blob file is a\r\nshellcode that will decrypt and execute the \"beacon.dll\" by calling CreateThread API.\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 1 of 7\n\nfigure 2: virus_load.exe loading the \"k2Hw\" blob file.\r\nThe shellcode is not big actually, the only task it will do is to decrypt the actual payload which is the beacon.dll using\r\nthe initial decryption key in offset 0x40.\r\nfigure 3: decryption routine to decrypt the beacon.dll\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 2 of 7\n\nfigure 4: the initial structure of the k2Hw shellcode\r\nInteresting Execution of Its Export function:\r\nThis part is quite interesting, because it just used around 40 bytes of code including the actual \"MZ\" header to jump or\r\nto execute its export function \" _ReflectiveLoader@4\".\r\nfigure 5: the shellcode structure including the MZ header\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 3 of 7\n\nfigure 6: 0x4F + 0x9155 = 0x91A4 the export function of this dll payload.\r\nSome Backdoor Features:\r\nThis .dll file is waiting for some backdoor command to execute several function to the infected machine. some of it is\r\nread file, write file, Open Process, Set Current Directory, Impersonate Process, LSA server un-trusted connection ,\r\nCreate and Open services, code Injection and many more.\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 4 of 7\n\nfigure 7: Process Impersonation\r\nfigure 8: CurrentProcess Code Injection\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 5 of 7\n\nfigure 9: LSA Server Connection\r\nConclusion:\r\nIn this sample we saw how malware try to use different approach to execute their code even in the actual DOS header\r\nof the PE file. This technique is not new but still effective to run code or shellcode.\r\nIOC:\r\nDebug.exe\r\nSha1: 9e16e2de4e4da93965b3cbcd19bbaf32b490bf63\r\nmd5: e2d265ced204eb807cb5ed0093500205\r\nSha256: 3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88\r\nbeacon.dll\r\nSha1: 19359d10155d98414c03951fd4871c0b387f7dd7\r\nMd5: 5cd3ba72cda97276bb77c42e42e2fb7c\r\nSha256: 31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd\r\nhttps://app.any.run/tasks/dc833ad4-508a-42eb-9bc2-cef42a558e89/\r\nhttps://www.virustotal.com/gui/file/3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88/detection\r\nYARA:\r\n import \"pe\"\r\nrule unpack_CobaltStrike_beacon_dll_ {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting Cobaltstrike malware\"\r\n date = \"2019-11-05\"\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 6 of 7\n\nsha256 = \"31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd\"\r\n strings:\r\n $mz = { 4d 5a }\r\n \r\n $shell = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 81 C3 55 91 00 00 FF D3 }\r\n $code2 = { 64 A1 30 00 00 00 89 45 C0 8B 45 C0 8B 40 0C 89 }\r\n $code3 = { 8B 45 8C C1 C8 0D 89 45 8C 8B 45 88 0F BE 00 03}\r\n $s1 = \"cdn.%x%x.%s\" fullword\r\n $s2 = \"¦www6.%x%x.%s\" fullword\r\n $s3 = \"%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s\" fullword\r\n \r\n condition:\r\n ($mz at 0) and ($shell at 0) or 2 of ($code*) and 1 of ($s*)\r\n \r\n }\r\nSource: https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nhttps://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html"
	],
	"report_names": [
		"cobaltstrike-beacondll-your-not.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1e695e9787e11f85b3c078601dd011cf6e5b475.pdf",
		"text": "https://archive.orkl.eu/a1e695e9787e11f85b3c078601dd011cf6e5b475.txt",
		"img": "https://archive.orkl.eu/a1e695e9787e11f85b3c078601dd011cf6e5b475.jpg"
	}
}