MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87
SHA3-384 hash:	2707cfd1314b75b308600abab691cf35e7eb978b6479e19bc8f1bb522d9881e8d1d8aa567460bd06469b98d5824ac013
SHA1 hash:	7684910b8cf71402d58fe2ae3f03b179eec4078c
MD5 hash:	4e348eba565f9eb6f44ae698d23cb4b8
humanhash:	king-ten-eighteen-one
File name:	05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87.dll
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	294'912 bytes
First seen:	2025-12-14 11:53:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c1b0b10f7f368d57859597d521b9d555 (1 x CobaltStrike)
ssdeep	6144:nK336o2wsLG7iqi9Ca4T54N0JBo+TYYXxYHMlI:nKL2wOX38aVHOYYm+I
Threatray	486 similar samples on MalwareBazaar
TLSH	T1CA547D4972E025F5E467D27CCA578627E3F278524734D35F03A87A9A2F233B1622E712
Magika	pebin
Reporter	JAMESWT_WT
Tags:	CobaltStrike exe tgsoft-1693

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

CobaltStrike

Details

CobaltStrike

a configuration XOR key and verbose configuration settings

Link:

https://research.acce.ciphertechsolutions.com/results/37d746e6-83ec-49c3-b84a-d37328b0670c/

Malware family:

n/a

ID:

File name:

_05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87.dll

Verdict:

No threats detected

Analysis date:

2025-12-14 11:56:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/806e27d7-6c74-41fc-8aa8-42b3a767660f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44619/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693ea567838ad7e485392724

Tags:

cobaltstrike emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 cobalt cobaltstrike crypto masquerade microsoft_visual_cc windows

Link:

https://www.filescan.io/uploads/693ea564154f74b93dd64a3a/reports/ba07c0d2-38b4-45a2-9347-3178fc921af2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

Verdict:

Clean

File Type:

dll x64

Link:

https://opentip.kaspersky.com/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87/results?tab=lookup

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fe9f957f-0a15-4abd-bed8-f493b367b860

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/4e348eba565f9eb6f44ae698d23cb4b8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2025-11-11 11:25:58 UTC

File Type:

PE+ (Dll)

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=axeuimknbq43h44ju3wtnnnnyxznquq3liozvaws6nvldlf3z2dq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

CobaltStrike

25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787

CobaltStrike

323c126d241461bcf53a98317cd1b2cf4f053378e190fb9090af6bebf4708d97

CobaltStrike

ba795e91b7a1b2070dbb1e9e3dea657a3e0f8d7dd110b1a59630968c6bc7ae2e

CobaltStrike

error

CobaltStrike

+ 476 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:20000

Link:

https://tria.ge/reports/251214-n2zk5stqbn/

Malware Config

C2 Extraction:

http://webmail.revitpourtous.com:53/filestreamingservice/files/6ea77424-b4f6-4a77
http://mail.revitpourtous.com:53/filestreamingservice/files/6ea77424-b4f6-4a77

Verdict:

Unknown

Tags:

red_team_tool cobalt_strike

YARA:

MALW_cobaltrike win_cobalt_sleep_encrypt Windows_Trojan_CobaltStrike_663fc95d Windows_Trojan_CobaltStrike_f0b627fc HKTL_CobaltStrike_SleepMask_Jul22

Link:

https://app.threat.zone/submission/f07b4648-f697-4364-90e6-945700a7b67c

Unpacked files

SH256 hash:

05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

MD5 hash:

4e348eba565f9eb6f44ae698d23cb4b8

SHA1 hash:

7684910b8cf71402d58fe2ae3f03b179eec4078c

Detections:

win_cobalt_strike_auto

cobaltstrike_xor_config

Link:

https://www.unpac.me/results/95bc1a44-543a-4570-a8db-66df66eece59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05c944314d0c39b3f389a6ed36b5adc5f2d8521b5a1d9a82d2f36ab1acbbce87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HKTL_CobaltStrike_SleepMask_Jul22 Create hunting rule
Author:	CodeX
Description:	Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
Reference:	https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs

Rule name:	MALW_cobaltrike Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Rule to detect CobaltStrike beacon
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_CobaltStrike_663fc95d Create hunting rule
Author:	Elastic Security
Description:	Identifies CobaltStrike via unidentified function code

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Description:	Rule for beacon reflective loader

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Author:	Elastic Security
Description:	Rule for beacon reflective loader

Rule name:	win_cobalt_sleep_encrypt Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects Sleep Encryption Logic Found in Cobalt Strike Deployments

Rule name:	win_cobalt_strike_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.cobalt_strike.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/44619/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample