MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2
SHA3-384 hash: d6d1888ad2edabc1a456219ca457fc29ea13efe8efddddfd9c71382b197f8faa6f94ca73730a30f5dd017c47b6323df3
SHA1 hash: e549b336d6d78d9f6a2ed9839d85ec38b50eb1b0
MD5 hash: 656000dbec18da6f8360e61ffe5114e8
humanhash: eleven-venus-fruit-don
File name:6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:618'496 bytes
First seen:2025-04-17 13:15:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c10350c30812a28824e884e76a0d283 (1 x CobaltStrike)
ssdeep 12288:BCUjld3y0uEANn/79c0QiLaGMiVeJZXdpzfasA:o4pANnvjMNzfV
TLSH T154D4BE0BEAF207EED12A50BE509E83718A24F4152355F616742CFFE22F478C45A5E7E8
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zhuzhu0009
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
482
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2
Verdict:
Malicious activity
Analysis date:
2025-04-17 12:43:01 UTC
Tags:
cobaltstrike backdoor loader
Link:
https://app.any.run/tasks/94dec1c8-872a-4abb-9779-0c695e6bbdcb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2720/
Detection(s):
Win.Trojan.CobaltStrike-9044898-1
Create hunting rule

Win.Trojan.CobaltStrike-7899871-1
Create hunting rule

Win.Countermeasure.LoaderWinGeneric-9804845-2
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800f754280f5f89a0d0739b
Tags:
cobaltstrike beacon virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt cobaltstrike config-extracted packed packed packer_detected windows
Link:
https://www.filescan.io/uploads/6800fef9e9c1e257979bf8df/reports/2943f5dc-953b-4689-bbfa-eac24790453b/overview
Verdict:
Malicious
Labled as:
Dump:Generic.Beacon.Marte.B
Link:
https://www.hybrid-analysis.com/sample/6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2
Malware family:
Cactus Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/479e1f1e-0fcb-458d-a2a7-716082d83151
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667555
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667555 Sample: W4Y0TQlImf.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 32 argumentum.info 2->32 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 6 other signatures 2->56 8 W4Y0TQlImf.exe 4 2->8         started        11 msedge.exe 104 373 2->11         started        signatures3 process4 dnsIp5 30 C:\Users\user\AppData\Local\...\conhost.exe, PE32+ 8->30 dropped 14 conhost.exe 8->14         started        18 msedge.exe 9 8->18         started        34 192.168.2.7, 443, 49672, 49681 unknown unknown 11->34 36 192.168.2.24 unknown unknown 11->36 38 239.255.255.250 unknown Reserved 11->38 20 msedge.exe 11->20         started        22 msedge.exe 11->22         started        24 msedge.exe 11->24         started        26 2 other processes 11->26 file6 process7 dnsIp8 40 65.21.30.235, 443, 49681, 49692 CP-ASDE United States 14->40 42 argumentum.info 104.21.38.177, 443, 49691, 49693 CLOUDFLARENETUS United States 14->42 58 Multi AV Scanner detection for dropped file 14->58 28 msedge.exe 18->28         started        44 74.125.136.132, 443, 49731 GOOGLEUS United States 20->44 46 162.159.61.3, 443, 49707, 49735 CLOUDFLARENETUS United States 20->46 48 9 other IPs or domains 20->48 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 12:43:02 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntpu544eeacjhwk2apbll6wbe7hhyr56kmj63n2bagmrqs5qxsza._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
error
CobaltStrike
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor discovery trojan
Link:
https://tria.ge/reports/250417-qhjrpayqw5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Cobaltstrike
Cobaltstrike family
Malware Config
C2 Extraction:
http://v/*�w��lb�=����Eʓ��e�3��ᐚ+��[%��r�;E/}�#��] ����� �ޙ*8�͔A�n#��ֳH������V��_LZ�J��U�Tmd�&�u��aKJ�iN���;�(2�&�M�o�i�OvW�����9�X�ٌ��pm�"�`��g�Ȁ�NO:1812188882#��] ����� �ޙ*8�͔A�n#��ֳH������V��_LZ�J��U�Tmd�&�u��aKJ�iN���;�(2�&�M�o�i�OvW�����9�X�ٌ��pm�"�`��g�Ȁ�NO
Verdict:
Malicious
Tags:
red_team_tool cobalt_strike Win.Trojan.CobaltStrike-9044898-1
YARA:
Windows_Trojan_CobaltStrike_7f8da98a
Link:
https://app.threat.zone/submission/918976a3-9824-4181-80ad-b0832e88ca3a
Unpacked files
SH256 hash:
6cdf4ef384200493d95a03c2b5fac127ce7c47be5313edb7410199184bb0bcb2
MD5 hash:
656000dbec18da6f8360e61ffe5114e8
SHA1 hash:
e549b336d6d78d9f6a2ed9839d85ec38b50eb1b0
Link:
https://www.unpac.me/results/6abe79c7-ab29-4ca6-854e-c6caf11bd0cb/
SH256 hash:
9c1fec7878b13aa0e50f4a6a4bcbe03d024d2ae288f65037bb45bdb51425d02e
MD5 hash:
48e8ec1d7a0fca33d96fe6fb0b422c3a
SHA1 hash:
618e5edcf74def79964d8f143b540272ec2bc3a5
Detections:
win_cobaltstrike_pipe_strings_nov_2023
Create hunting rule
Link:
https://www.unpac.me/results/6abe79c7-ab29-4ca6-854e-c6caf11bd0cb/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cdf4ef38420/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_CobaltStrike_7f8da98a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/94dec1c8-872a-4abb-9779-0c695e6bbdcb
Cape
Cape
https://www.capesandbox.com/analysis/2720/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW

Comments