Ask Your Question

Reconstruct executable from tcp-stream

asked 2024-05-10 14:53:04 +0000

Pattel gravatar image

I have captured a buch of packets from a connection. I Found a packet of interest and followed the stream. From what i see, it should be an executable MZARUH in the header seems to be a signature for a cobalt strike exploit. My Question: how can i reconstruct this executable, if i only have the TCP-Stream. If you could provide mit with a step by step, this would be great. Or ist there at least a possibility, to proof the theory, that the submittet packets are parts of a malware? Thank you,


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2024-05-12 14:41:24 +0000

SYN-bit gravatar image

There are many ways to transport a file (in your case probably an executable) over TCP. This makes it really hard to provide you with a step by step procedure.

  • You could do a follow TCP stream and save the content (in RAW format), if it is a clean transfer like when transferred by FTP
  • You could do an export object if the exe was transferred over SMB/SMB2 or HTTP?
  • You can carve out the precise data bytes from a stream if you know where the exe starts and ends?

If you are able to share the file, we could perhaps help you better :-)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-05-10 14:53:04 +0000

Seen: 84 times

Last updated: May 12