MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
SHA3-384 hash: af6362d9650a55cd3487e3bfdcc38776d18cc529fd15ee6aeb110ab11b8fe31f025dff946521f725d966573d858e8fb4
SHA1 hash: 1363a0f9381ae791ca3e5483949759367e5015da
MD5 hash: dcd660f26aceb67e48e1096a8a209f70
humanhash: triple-six-jig-missouri
File name:msedgeupdate.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:531'856 bytes
First seen:2026-02-06 23:01:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 7c65649150f0bc99d03a9629f9f3ea1c (1 x CobaltStrike)
ssdeep 12288:r2RAvIIfLenn2Ai1+R/jhk6F5ZgDcRch9pUsFz:xfLCn2Ai1+R/jhkMZgoROUU
Threatray 605 similar samples on MalwareBazaar
TLSH T1AEB46DF1BA00FCD1F56F0A76CA75B8691232A623D9D79D8E40647B820B73711FE17846
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter smica83
Tags:CobaltStrike dll TGR-STA-1030

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52547/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698672be3cadc639ed8418d6
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobaltstrike expired-cert invalid-signature microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/698672bd930564ff3c905602/reports/61f57c24-3a22-4b70-8583-9d5c25578184/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
Verdict:
Malicious
File Type:
dll x32
Detections:
PDM:Exploit.Win32.Generic Trojan.Win64.Shlem.sb Trojan.Win64.Shelm.sb Trojan.Win32.CobaltStrike.sb Trojan.Win32.CobaltStrike.mz PDM:Trojan.Win32.Generic Trojan.Win64.Cobalt.sb HEUR:Trojan.Win32.Generic Trojan.Win32.CobaltStrike.ifv Trojan.Cobalt.HTTP.C&C
Link:
https://opentip.kaspersky.com/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25add216-c28f-4075-95b8-e01fcabd3e17
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1865058
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865058 Sample: msedgeupdate.dll Startdate: 07/02/2026 Architecture: WINDOWS Score: 100 22 www.emezonhe.me 2->22 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 5 other signatures 2->32 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 12 8->10         started        13 rundll32.exe 12 8->13         started        16 cmd.exe 1 8->16         started        18 conhost.exe 8->18         started        dnsIp6 34 System process connects to network (likely due to code injection or exploit) 10->34 24 www.emezonhe.me 172.239.57.117, 443, 49715, 49716 AKAMAI-ASN1EU United States 13->24 20 rundll32.exe 12 16->20         started        signatures7 process8
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/dcd660f26aceb67e48e1096a8a209f70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe/
Verdict:
Malicious
Threat:
Family.COBALTSTRIKE
Link:
https://tip.neiki.dev/file/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Suspicious
First seen:
2025-01-21 11:26:37 UTC
File Type:
PE (Dll)
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kf23c4qp4o6fnd3yk63sxfqcmcwttaxucntm4m3sybccioln637a._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
metasploit
Create hunting rule
Similar samples:
12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df
CobaltStrike
14788f73dba475c014573f9502a8a212c69442ce0ccee6a386607f618a7c71d7
CobaltStrike
7803d96a4a965ba34fbfd475ee374820273b5acc88476115c1555774981e307a
CobaltStrike
86beafb8bad31a5d1eebe2a5cda045f9e72f71d848b6e1f53920d9ee93cdcd59
CobaltStrike
c401c57365e57f1bc8d84f3e42685792b6fa6f55e91bbfdca1b170b64299efbe
CobaltStrike
dc460f03652eb64c6aeb07a3684780dda19d55dc7e80cc470b61eb2d22b4772c
CobaltStrike
+ 595 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:100000000 backdoor discovery trojan
Link:
https://tria.ge/reports/260206-2znbzsfy4d/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Badlisted process makes network request
Cobaltstrike
Cobaltstrike family
Malware Config
C2 Extraction:
http://www.emezonhe.me:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
MD5 hash:
dcd660f26aceb67e48e1096a8a209f70
SHA1 hash:
1363a0f9381ae791ca3e5483949759367e5015da
Link:
https://www.unpac.me/results/9fc8007f-f127-4c8a-ad86-be12bfd5dba2/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5175b1720fe3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:ditekshen, enzo & Elastic
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_C2_Encoded_XOR_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
Rule name:CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
Rule name:CobaltStrike__Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Trojan_Raw_Generic_4
Create hunting rule
Author:FireEye
Reference:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
Rule name:Windows_Trojan_CobaltStrike_3dc22d14
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_CobaltStrike_f0b627fc
Create hunting rule
Description:Rule for beacon reflective loader
Rule name:Windows_Trojan_Metasploit_7bc0f998
Create hunting rule
Description:Identifies the API address lookup function leverage by metasploit shellcode
Rule name:Windows_Trojan_Metasploit_c9773203
Create hunting rule
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52547/

Comments