MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cobalt Strike

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064
SHA3-384 hash:	ce7f6af6f2dd07991e9dc59cd7a6affe19532acb70c13dec3be819740ed9d88437515476f618ce17266f1336014bd58c
SHA1 hash:	83956d377d262cd4efe83f3b46e26a1cf4c66815
MD5 hash:	d23d98ee010423dc1f68b42003b26e6d
humanhash:	michigan-thirteen-leopard-music
File name:	officefonts.dll
Download:	download sample
Signature	Cobalt Strike Create hunting rule
File size:	9'216 bytes
First seen:	2026-05-16 17:59:15 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	57d6e7112c8e716cfe2eb0ff9f36763c (16 x Meterpreter, 2 x CobaltStrike, 2 x Cobalt Strike)
ssdeep	48:qkuUG3zUqG7aNJ4dXphlhEFAJIDuMsCOagVL92tHbOE:LXMEBvr
TLSH	T1DC12D779B27508F7D03607FA86038589B37CBB24036D428B8B4378693D84ACB7A31993
TrID	21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win64 Executable (generic) (6522/11/2) 16.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 14.6% (.EXE) Win32 Executable (generic) (4504/4/1) 6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	smica83
Tags:	Cobalt Strike dll microwaved-info

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/5ce1192f-c828-41a0-a957-4c54c760cba7/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66139/

Detection(s):

SecuriteInfo.com.Trojan.Inject6.38991.11059.9712.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a08b087953bbcef1c90c0c7

Tags:

dorv mint

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin microsoft_visual_cc rundll32

Link:

https://www.filescan.io/uploads/6a08b07dc9d535126e00b2d3/reports/fe5c53b3-66c9-44a4-998a-0fc2ac85df9f/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064

Verdict:

Malicious

File Type:

dll x32

First seen:

2026-05-14T05:38:00Z UTC

Last seen:

2026-05-17T18:22:00Z UTC

Hits:

~100

Detections:

HEUR:Backdoor.Win64.Mtrprtr.a Trojan.Win32.Inject.sb HackTool.Metasploit.HTTP.C&C

Link:

https://opentip.kaspersky.com/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064/results?tab=lookup

Malware family:

Swrort

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fba1a8e-b64d-42a6-901d-986ec37f6910

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1914425

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Rundll32 Execution Without Parameters

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064/

Verdict:

Malicious

Threat:

Family.METASPLOIT

Link:

https://tip.neiki.dev/file/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064

Threat name:

Win32.Backdoor.Meterpreter

Status:

Malicious

First seen:

2026-05-14 10:13:24 UTC

File Type:

PE (Dll)

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f4aspdgaoomsnnxp5jvz2eu7czt6plxoelgaavqixqal2ptfubsa._file

Verdict:

malicious

Label(s):

cobaltstrike

metasploit

meterpreter

Similar samples:

error

Cobalt Strike

Gathering data

Unpacked files

SH256 hash:

2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064

MD5 hash:

d23d98ee010423dc1f68b42003b26e6d

SHA1 hash:

83956d377d262cd4efe83f3b46e26a1cf4c66815

Link:

https://www.unpac.me/results/710dbd38-1a1f-4c2b-a0fe-149c962499c4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/2f01278cc0739926b6efea6b9d129f1667e7aeee22cc005608bc00bd3e65a064

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.