{
	"id": "f7aa9644-fca0-4625-9305-acf366b1cd0e",
	"created_at": "2026-04-06T02:12:47.359195Z",
	"updated_at": "2026-04-10T03:36:33.440339Z",
	"deleted_at": null,
	"sha1_hash": "fdc6fa43615737aff1a630678371c671e55a871e",
	"title": "[QuickNote] CobaltStrike SMB Beacon Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 972269,
	"plain_text": "[QuickNote] CobaltStrike SMB Beacon Analysis\r\nPublished: 2022-06-04 · Archived: 2026-04-06 01:35:14 UTC\r\n2 Votes\r\n1. Executive Summary\r\nAt VinCSS, I recently wrote an analysis related to the samples of the Mustang Panda (PlugX) group. These\r\nsamples are all uploaded from Vietnam. You can read the Vietnamese or English blog post of this analysis.\r\nHowever, in all the uploaded log.dll files, there is one file that is not related to the Mustang Panda group’s\r\nattack technique, it is marked as the following picture:\r\n2. Analyze log.dll\r\nThis file’s size is smaller than other files. The original name is imageres.dll , it exports a lot of functions have\r\nthe same address, but the only one most notable is the LogInit function:\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 1 of 8\n\nAnalyze LogInit ‘s code in IDA, I see it build path to the mpengindrv.db file:\r\nNext, read the content of mpengindrv.db into the allocated memory region and decrypt it by using RC4 with the\r\ndecryption key is “ A5A7F7E2B00C4A2B87FC0123F933EBD6 “. After successful decryption, call the decrypted payload\r\nto execute:\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 2 of 8\n\n3. Hunting and decrypting\r\nTrying to hunt mpengindrv.db file on VT, I found the only file uploaded from Vietnam and at the same time as\r\nthe log.dll file above:\r\nUsing CyberChef to decrypt file, we found that the file after decryption is a PE file, but we will see that\r\nimmediately after the MZ signature is the opcode of the call command ( 0xE8 ):\r\nSave the decrypted file to disk, perform disassembly first bytes, and see that there are two calls as follows:\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 3 of 8\n\nThe above information reminds me of the ReflectiveLoader technique that I have analyzed in this article. Static\r\nanalysis the decrypted file, which is a Dll with the original name Lotes.dll , exporting one function is\r\nReflectiveLoader .\r\nHowever, the unusual point is that, its Imports Table information is wrong, the names of sections are also\r\nconfusing characters:\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 4 of 8\n\n4. Analyze Lotes.dll\r\nLoad the Dll file into IDA for analysis, the code in the ReflectiveLoader function is similar to the code here,\r\nbut it has been modified a bit related to processing import table . It first reads the NumberOfSymbols value from\r\nthe File Header and stores it in a variable. This variable will be used as the xor_key . Then, when processing\r\nthe import table , it uses the obtained xor_key value to decode the names of the dlls, as well as the names of the\r\nAPI functions that the malicious code will use:\r\nBased on the above information, it is easy to recover the information of the Import Table:\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 5 of 8\n\nAfter completing the Loader process, it will call the entry point of the Dll file to execute:\r\nThe code at DllEntryPoint will call DllMain , and then calls the function\r\nf_decrypt_and_parse_beacon_config . The reason I know this is a CobaltStrike Beacon is because the\r\nf_decrypt_and_parse_beacon_config function will perform decode the config with a hard-coded value of 0x2e\r\n(as xor_key). The value 0x2e is used in Beacon version 4.\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 6 of 8\n\nBased on this info, I used the script 1768.py by Mr. Didier Stevens to extract the configuration information of the\r\nCobaltStrike Beacon. The result shows that this is an SMB Beacon:\r\nEnd.\r\nm4n0w4r\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 7 of 8\n\nSource: https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nhttps://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/"
	],
	"report_names": [
		"quicknote-cobaltstrike-smb-beacon-analysis-2"
	],
	"threat_actors": [
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441567,
	"ts_updated_at": 1775792193,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdc6fa43615737aff1a630678371c671e55a871e.pdf",
		"text": "https://archive.orkl.eu/fdc6fa43615737aff1a630678371c671e55a871e.txt",
		"img": "https://archive.orkl.eu/fdc6fa43615737aff1a630678371c671e55a871e.jpg"
	}
}