MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607
SHA3-384 hash: e11effb5fccba93482886c40caa06e10c3693c7e5477ea9c97024fcaf1d824c4b6615a84fde3ba8073f6de89dc1d96f1
SHA1 hash: f6d0a1b6342187e0cc1490b89741acb792ad45b4
MD5 hash: 5b21ea0b6384fe9660b6c41c0684e65b
humanhash: orange-comet-hamper-stairway
File name:3.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:324'096 bytes
First seen:2024-12-13 07:45:34 UTC
Last seen:2025-07-15 07:59:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6243a15fa8eee8ee96b5e1144d461f6 (19 x CobaltStrike, 1 x Metasploit, 1 x Cobalt Strike)
ssdeep 6144:f3RDUTHQ+SKJr6VQHlpk72u5wxaR6qp+HR6LZY:eHKKJr6OHlC2u5Iahp0R6LZY
Threatray 138 similar samples on MalwareBazaar
TLSH T17164CF5A88C34F83C67A63F031C7E34475A76674B8943FA5CA51A02CF1A1FC95BAD21B
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Joker
Tags:CobaltStrike exe malware

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
101.37.34.164:47535 https://threatfox.abuse.ch/ioc/1353611/

Intelligence

File Origin
# of uploads :
3
# of downloads :
469
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
3.exe
Verdict:
Malicious activity
Analysis date:
2024-12-13 08:08:54 UTC
Tags:
meterpreter backdoor cobaltstrike
Link:
https://app.any.run/tasks/f3643336-a9dc-4878-acda-84eb0fd64030

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Countermeasure.LoaderWinGeneric-9804845-2
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675be79589dbe216234f9d68
Tags:
cobaltstrike cobalt dridex emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt cobaltstrike config-extracted windows
Link:
https://www.filescan.io/uploads/675be63cdcb1ffa21ae88d5f/reports/0b58bbc3-108f-47d0-b99d-927675a7acd6/overview
Verdict:
Malicious
Labled as:
Dump:Generic.ShellCode.Marte.2
Link:
https://www.hybrid-analysis.com/sample/5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12b932fd-df13-49a9-bec2-2e68b2fd73af
Result
Threat name:
CobaltStrike, ReflectiveLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574340
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 06:02:51 UTC
File Type:
PE (Exe)
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lymul526cubbs5yob2ktp7dwotv6xafbyidzqjeizdi5t2jtiydq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
metasploit
Create hunting rule
Similar samples:
16fbf35ccfa2ba2d6954c266d18f7b62a8ccc72d83a8a79c3ad810ea68e4aa93
CobaltStrike
5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607
CobaltStrike
b151876e8b4405344dcbf1c7738be9f93f2cf2cc0cde9ba18d73fa443f460ecd
CobaltStrike
b1ca829cc4b862f66977df476736c624666df294318fd781c41d1d256208cc63
CobaltStrike
error
CobaltStrike
+ 128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241213-jly78asmgs/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
red_team_tool cobalt_strike c2 Win.Countermeasure.LoaderWinGeneric-9804845-2
YARA:
win_cobaltstrike_pipe_strings_nov_2023 Windows_Trojan_CobaltStrike_1787eef5 Windows_Trojan_CobaltStrike_7f8da98a
Link:
https://app.threat.zone/submission/a786f64c-4f56-4907-8ba2-889d7887d512
Unpacked files
SH256 hash:
7de5374de7db255a85fb2127c01d8cd396bca5ce23a2e062744dfb0cdb10fd48
MD5 hash:
f1d4d395192343eea760418297667c13
SHA1 hash:
e5578f4011c0018f41c259b9f7a074dcfd0970b2
Detections:
cobaltstrike_xor_config
Create hunting rule
win_samsam_auto
Create hunting rule
win_cobalt_strike_auto
Create hunting rule
CS_beacon
Create hunting rule
HKTL_Win_CobaltStrike
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
ReflectiveLoader
Create hunting rule
HKTL_Meterpreter_inMemory
Create hunting rule
Malware_QA_vqgk
Create hunting rule
WiltedTulip_ReflectiveLoader
Create hunting rule
CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Leviathan_CobaltStrike_Sample_1
Create hunting rule
Beacon_K5om
Create hunting rule
PowerShell_Susp_Parameter_Combo
Create hunting rule
CobaltStrike_C2_Encoded_XOR_Config_Indicator
Create hunting rule
CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
hacktool_windows_cobaltstrike_beacon
Create hunting rule
MALWARE_Win_CobaltStrike
Create hunting rule
CobaltStrike_Unmodifed_Beacon
Create hunting rule
Link:
https://www.unpac.me/results/df507772-d12c-4cb6-a0d9-b601dce6101d/
SH256 hash:
5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607
MD5 hash:
5b21ea0b6384fe9660b6c41c0684e65b
SHA1 hash:
f6d0a1b6342187e0cc1490b89741acb792ad45b4
Link:
https://www.unpac.me/results/df507772-d12c-4cb6-a0d9-b601dce6101d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Windows_Trojan_CobaltStrike_1787eef5
Create hunting rule
Author:Elastic Security
Description:CS shellcode variants
Rule name:Windows_Trojan_CobaltStrike_7f8da98a
Create hunting rule
Author:Elastic Security
Rule name:win_cobaltstrike_pipe_strings_nov_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects default strings related to cobalt strike named pipes

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 5e1945f75e150219770e0e9537fc7674ebeb80a1c207982488c8d1d9e9334607

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3347429/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments