I have captured a buch of packets from a connection. I Found a packet of interest and followed the stream. From what i see, it should be an executable MZARUH in the header seems to be a signature for a cobalt strike exploit. My Question: how can i reconstruct this executable, if i only have the TCP-Stream. If you could provide mit with a step by step, this would be great. Or ist there at least a possibility, to proof the theory, that the submittet packets are parts of a malware? Thank you,
Patrick