CobaltStrike - beacon.dll : Your No Ordinary MZ Header Published: 2019-11-05 · Archived: 2026-04-05 20:04:44 UTC Today I found some interesting sample that was flag as cobaltstrike sample in app.any.run (links are below). The execution of this file is quite interesting how it evade detection by running multi-component files and maximize the DOS header to execute small shellcode. SFX CODE: This sample start with a SFX file that contains an executable name as "virus_load.exe" and a blob file name as "k2Hw". The sfx will run the virus_load.exe base on the setup script of the sfx file. figure 1: the sfx to execute virus_load.exe virus_load.exe and the k2Hw files: this part of execution is also interesting, because virus_load.exe is only a loader of "k2Hw". The said blob file is a shellcode that will decrypt and execute the "beacon.dll" by calling CreateThread API. https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 1 of 7 figure 2: virus_load.exe loading the "k2Hw" blob file. The shellcode is not big actually, the only task it will do is to decrypt the actual payload which is the beacon.dll using the initial decryption key in offset 0x40. figure 3: decryption routine to decrypt the beacon.dll https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 2 of 7 figure 4: the initial structure of the k2Hw shellcode Interesting Execution of Its Export function: This part is quite interesting, because it just used around 40 bytes of code including the actual "MZ" header to jump or to execute its export function " _ReflectiveLoader@4". figure 5: the shellcode structure including the MZ header https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 3 of 7 figure 6: 0x4F + 0x9155 = 0x91A4 the export function of this dll payload. Some Backdoor Features: This .dll file is waiting for some backdoor command to execute several function to the infected machine. some of it is read file, write file, Open Process, Set Current Directory, Impersonate Process, LSA server un-trusted connection , Create and Open services, code Injection and many more. https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 4 of 7 figure 7: Process Impersonation figure 8: CurrentProcess Code Injection https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 5 of 7 figure 9: LSA Server Connection Conclusion: In this sample we saw how malware try to use different approach to execute their code even in the actual DOS header of the PE file. This technique is not new but still effective to run code or shellcode. IOC: Debug.exe Sha1: 9e16e2de4e4da93965b3cbcd19bbaf32b490bf63 md5: e2d265ced204eb807cb5ed0093500205 Sha256: 3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88 beacon.dll Sha1: 19359d10155d98414c03951fd4871c0b387f7dd7 Md5: 5cd3ba72cda97276bb77c42e42e2fb7c Sha256: 31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd https://app.any.run/tasks/dc833ad4-508a-42eb-9bc2-cef42a558e89/ https://www.virustotal.com/gui/file/3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88/detection YARA: import "pe" rule unpack_CobaltStrike_beacon_dll_ { meta: author = "tcontre" description = "detecting Cobaltstrike malware" date = "2019-11-05" https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 6 of 7 sha256 = "31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd" strings: $mz = { 4d 5a } $shell = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 81 C3 55 91 00 00 FF D3 } $code2 = { 64 A1 30 00 00 00 89 45 C0 8B 45 C0 8B 40 0C 89 } $code3 = { 8B 45 8C C1 C8 0D 89 45 8C 8B 45 88 0F BE 00 03} $s1 = "cdn.%x%x.%s" fullword $s2 = "¦www6.%x%x.%s" fullword $s3 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" fullword condition: ($mz at 0) and ($shell at 0) or 2 of ($code*) and 1 of ($s*) } Source: https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html Page 7 of 7