{
	"id": "85d67048-b321-4877-b6d7-b8de45fa0106",
	"created_at": "2026-04-06T00:19:37.192157Z",
	"updated_at": "2026-04-10T03:24:24.551537Z",
	"deleted_at": null,
	"sha1_hash": "e2b6271e7bc7ef0d0e799037138faad9042f51af",
	"title": "New Tool: cs-extract-key.py",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68583,
	"plain_text": "New Tool: cs-extract-key.py\r\nPublished: 2021-11-03 · Archived: 2026-04-05 20:16:25 UTC\r\nNew Tool: cs-extract-key.py\r\ncs-extract-key.py is a tool designed to extract cryptographic keys from Cobalt Strike beacon process memory\r\ndumps.\r\nThis tool was already available in my beta repository.\r\nThis tool can extract cryptographic keys from process memory dumps of a version 3.x beacon directly:\r\nAnd from version 4.x together with encrypted data extracted from network capture:\r\nMore details can be found in the man page, and in and upcoming blog post.\r\ncs-extract-key_V0_0_1.zip (https)\r\nMD5: 4102A5A5BFD4D432DA4A721D43F568F5\r\nSHA256: BBEDF6CBFFF51669187694F463C32A49F53420BEDF8B76508D06850643DE334F\r\nhttps://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/\r\nPage 1 of 2\n\nSource: https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/\r\nhttps://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/"
	],
	"report_names": [
		"new-tool-cs-extract-key-py"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2b6271e7bc7ef0d0e799037138faad9042f51af.pdf",
		"text": "https://archive.orkl.eu/e2b6271e7bc7ef0d0e799037138faad9042f51af.txt",
		"img": "https://archive.orkl.eu/e2b6271e7bc7ef0d0e799037138faad9042f51af.jpg"
	}
}