MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cobalt Strike

Vendor detections: 19

Intelligence 19 IOCs YARA 20 File information Comments

SHA256 hash:	7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb
SHA3-384 hash:	96b3b04b774bf09d17ec06f9b56f672a6ce71aaa89aeb8a2d6696d5f70db72629fad7e0a5b5298846972d951eebc51cc
SHA1 hash:	c0ea305b8d15d4ab411f705ff8eef4ceeec00fa4
MD5 hash:	c60670659e8f7cb0241221b2dccc74a9
humanhash:	seventeen-ink-ink-mars
File name:	a.exe
Download:	download sample
Signature	Cobalt Strike Create hunting rule
File size:	17'920 bytes
First seen:	2025-08-08 08:06:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	17b461a082950fc6332228572138b80c (121 x CobaltStrike, 2 x Cobalt Strike)
ssdeep	192:WDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4gifyYBPrtBUbOj6kxiY:WDMAoKz6WtKEj7aBDiUrtbAY
Threatray	186 similar samples on MalwareBazaar
TLSH	T1A3821B7EB64224E9C12BD17CC9EA6772A8F27021416B271F2FB8C7302F21978463D909
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Joker
Tags:	Cobalt Strike CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

828

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

_7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb.exe

Verdict:

Malicious activity

Analysis date:

2025-08-08 08:13:46 UTC

Tags:

cobaltstrike backdoor xor-url generic

Link:

https://app.any.run/tasks/dfe29e3d-88d4-41e5-8ce8-afb7df470474

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeStager

Link:

https://www.capesandbox.com/analysis/19620/

Detection(s):

Win.Trojan.CobaltStrike-9044898-1

Win.Trojan.CobaltStrike-7899871-1

Win.Countermeasure.LoaderWinGeneric-9804845-2

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6895b05111d7f9b979e67a46

Tags:

cobaltstrike cobalt spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobalt cobaltstrike config-extracted mingw packed windows

Link:

https://www.filescan.io/uploads/6895b04d9ef4d2ff7cf223e3/reports/c017c3ca-6cad-4af7-a85e-2a2d19c0711d/overview

Verdict:

Malicious

Labled as:

Trojan.CobaltStrike

Link:

https://www.hybrid-analysis.com/sample/7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e27db20c-03a5-463e-8493-352477c0fe37

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/c60670659e8f7cb0241221b2dccc74a9

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

Threat name:

Win64.Backdoor.Cobeacon

Status:

Malicious

First seen:

2025-08-08 08:07:41 UTC

File Type:

PE+ (Exe)

AV detection:

35 of 38 (92.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofbkwtbkkcu4iizablcjh7bs6xrjhgtaakhyjz2665tbezgbc7vq._file

Verdict:

malicious

Label(s):

cobaltstrike

metasploit

Cobalt Strike

26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1

Cobalt Strike

4545af0a8eb4fd527810e8edd444bc18f256a98ea90a9e4c0940c06fece8ac58

Cobalt Strike

9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506

Cobalt Strike

ccf758b328692428403abce7c1d6126eb546e6a42649fa8efff3c625a262534b

Cobalt Strike

d11d6fc860b3fc30b19004831fd789103eb27aa0b63c73cc5a37050169e37ed0

Cobalt Strike

error

Cobalt Strike

f2093c8228896204c3403526c88ff3ddb4d9c7369a043ebb0b1a69b44ce63cd2

Cobalt Strike

+ 176 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000 backdoor trojan

Link:

https://tria.ge/reports/250808-j1as6sdl5s/

Behaviour

Cobaltstrike

Cobaltstrike family

Malware Config

C2 Extraction:

http://cs.xfdaili.com:443/jquery-3.3.2.slim.min.js
http://cs.xfdaili.com:443/jquery-3.3.1.min.js

Verdict:

Malicious

Tags:

red_team_tool cobalt_strike Win.Trojan.CobaltStrike-9044898-1 Cobalt_Strike

YARA:

hacktool_windows_cobaltstrike_artifact_exe CobaltStrike_Resources_Artifact64_v3_14_to_v4_x win_cobaltstrike_pipe_strings_nov_2023 Windows_Trojan_CobaltStrike_7f8da98a HKTL_Imphashes_Aug22_1

Link:

https://app.threat.zone/submission/84cdca72-7a22-4986-869c-29222f2d8422

Unpacked files

SH256 hash:

7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

MD5 hash:

c60670659e8f7cb0241221b2dccc74a9

SHA1 hash:

c0ea305b8d15d4ab411f705ff8eef4ceeec00fa4

Link:

https://www.unpac.me/results/17ecf921-44eb-409b-850a-19a1b8ff707e/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7142ab4c2a50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_MZ_Launcher Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike MZ header ReflectiveLoader launcher

Rule name:	CobaltStrike_Resources_Artifact64_v3_14_to_v4_x Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Resources_Artifact64_v3_14_to_v4_x Create hunting rule
Author:	gssincla@google.com

Rule name:	CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Imphashes_Aug22_1 Create hunting rule
Author:	Florian Roth
Description:	Detects different hacktools based on their imphash
Reference:	Internal Research

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Windows_Trojan_CobaltStrike_1787eef5 Create hunting rule
Author:	Elastic Security
Description:	CS shellcode variants

Rule name:	Windows_Trojan_CobaltStrike_3dc22d14 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_CobaltStrike_7f8da98a Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Description:	Rule for beacon reflective loader

Rule name:	win_cobaltstrike_pipe_strings_nov_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects default strings related to cobalt strike named pipes

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cobalt Strike

exe 7142ab4c2a50a9c423200ac493fc32f5e2939a60028f84e75ef7661264c117eb

(this sample)

Cape

https://www.capesandbox.com/analysis/19620/

URLhaus

https://urlhaus.abuse.ch/url/3599149/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample