{
	"id": "d85e8731-a94e-4fb2-acba-30dcaa87d4f5",
	"created_at": "2026-04-06T00:11:54.464435Z",
	"updated_at": "2026-04-10T03:24:23.494059Z",
	"deleted_at": null,
	"sha1_hash": "dd291e70fd79ee41a0f33e4176a44adc8e49677b",
	"title": "Hunting for Cobalt Strike in PCAP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125790,
	"plain_text": "Hunting for Cobalt Strike in PCAP\r\nBy Erik Hjelmvik\r\nPublished: 2024-01-04 · Archived: 2026-04-05 17:39:42 UTC\r\n, \r\nThursday, 04 January 2024 10:12:00 (UTC/GMT)\r\nIn this video I analyze a pcap file with network traffic from Cobalt Strike Beacon using CapLoader.\r\nThe pcap file and Cobalt Strike malware config can be downloaded from Recorded Future's Triage sandbox.\r\nCobalt Strike Beacon configs can also be extracted locally with help of Didier Stevens' 1768.py or Fox-IT's\r\ndissect.cobaltstrike.\r\nIOC List\r\nMD5 99516071d8f3e78e51200948bf377c4c\r\nSHA1 59fe505b24bdfa54ee6e4188ed8b88af9a42eb86\r\nSHA256 10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707\r\nJA3 a0e9f5d64349fb13191bc781f81f42e1\r\nJA4 t12d190800_d83cc789557e_7af1ed941c26\r\nIP:port 104.21.88.185:2096 (Cloudflare)\r\nDomain mail.googlesmail.xyz (Go Daddy)\r\nNetwork Forensics Training\r\nAre you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware\r\nand hacker tools? Then take a look at our upcoming network forensics classes!\r\nPosted by Erik Hjelmvik on Thursday, 04 January 2024 10:12:00 (UTC/GMT)\r\n0:00 / 10:36\r\nhttps://www.netresec.com/?page=Blog\u0026month=2024-01\u0026post=Hunting-for-Cobalt-Strike-in-PCAP\r\nPage 1 of 2\n\nTags: #Cobalt Strike\r\n#CobaltStrike#Triage#JA3#a0e9f5d64349fb13191bc781f81f42e1#ThreatFox#CapLoader#Video\r\n#videotutorial\r\nShort URL: https://netresec.com/?b=2410f02\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2024-01\u0026post=Hunting-for-Cobalt-Strike-in-PCAP\r\nhttps://www.netresec.com/?page=Blog\u0026month=2024-01\u0026post=Hunting-for-Cobalt-Strike-in-PCAP\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2024-01\u0026post=Hunting-for-Cobalt-Strike-in-PCAP"
	],
	"report_names": [
		"?page=Blog\u0026month=2024-01\u0026post=Hunting-for-Cobalt-Strike-in-PCAP"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd291e70fd79ee41a0f33e4176a44adc8e49677b.pdf",
		"text": "https://archive.orkl.eu/dd291e70fd79ee41a0f33e4176a44adc8e49677b.txt",
		"img": "https://archive.orkl.eu/dd291e70fd79ee41a0f33e4176a44adc8e49677b.jpg"
	}
}