MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cobalt Strike


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70
SHA3-384 hash: 4b95b58f592210d907f69d709c60679bb40d9b28a2bcbe4eab5fabe945c2f4afeb4f61e84116570762fe63233a45b02f
SHA1 hash: 4064a9493d87bfc5eb8aacddcefa9aff63f23bd6
MD5 hash: cb5a7ef75bda312fe7efecb9fddab236
humanhash: foxtrot-march-massachusetts-angel
File name:update.ps1
Download: download sample
Signature Cobalt Strike
Create hunting rule
File size:362'024 bytes
First seen:2025-12-16 11:09:03 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:nPgFNupx3J4MKjeiE2P6ICewYKTZZ6lzRj5zlIwW:nPgGnjKjKKblK6dW
Threatray 137 similar samples on MalwareBazaar
TLSH T1AF748F123F9328BDD200F33BD6B1A9D68980287D68F54D01F9E75D282AF16DD89F4267
Magika powershell
Reporter BlinkzSec
Tags:Cobalt Strike ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.29509.UNOFFICIAL
Create hunting rule

Win.Trojan.CobaltStrike-7917400-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69413de24d2b81828c3b48aa
Tags:
cobaltstrike cobalt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 cobalt cobalt cobaltstrike evasive exploit mimikatz obfuscated obfuscated powershell reflection rozena windows
Link:
https://www.filescan.io/uploads/69413ddf3f8fdbf8e947b2e1/reports/15f35940-703a-4773-bb07-bb8d419b76de/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-14T15:22:00Z UTC
Last seen:
2025-12-17T12:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Cobalt.sb Trojan.Win32.CobaltStrike.sb Trojan.Win32.CobaltStrike.mz HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Agent.gen
Link:
https://opentip.kaspersky.com/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70/results?tab=lookup
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/cb5a7ef75bda312fe7efecb9fddab236
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70/
Verdict:
Malicious
Threat:
Family.COBALTSTRIKE
Link:
https://tip.neiki.dev/file/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70
Threat name:
Script-PowerShell.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2025-12-14 06:04:00 UTC
File Type:
Text (PowerShell)
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=blp6rwvrwqzz77rpg35ny4uox3hwpw6ga56swyubdsspmb2t5zya._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
3f26083185d0dc5ed2e4b5c96539458b9689f221eeb04528581f336e2d9958fb
Cobalt Strike
4ce210ed888ef0799aade75a3764c2c4186efc4923be5e9860ccdb3d346a4114
Cobalt Strike
88b89cfbfb1acd45472205f4cca9013ace78f1ef97c0a3007f4604904d32fb73
Cobalt Strike
error
Cobalt Strike
f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d
Cobalt Strike
fcf2dfb4bbc60cfcf233616f5b995859d233dc46c108bbce16c49dec186e6416
Cobalt Strike
+ 127 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:100000000 backdoor execution trojan
Link:
https://tria.ge/reports/251216-m89t1sh12c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Cobaltstrike
Cobaltstrike family
Malware Config
C2 Extraction:
http://43.156.137.45:443/jquery-3.3.1.min.js
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobaltbaltstrike_Beacon_Encoded
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cobalt Strike

PowerShell (PS) ps1 0adfe8dab1b4339ffe2f36fadc728ebecf67dbc6077d2b62811ca4f60753ee70

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3734653/
  
Delivery method
Distributed via web download

Comments