MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 19

Intelligence 19 IOCs YARA 15 File information Comments

SHA256 hash:	7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1
SHA3-384 hash:	2371556159e41f80be4d339f911db747fcc5ddc76fad907505b324a5d3fbbe4946f1680f9eb3c8538dd53685bf52ba81
SHA1 hash:	4d0edc94337076c1d6e3d16a5b6e39da17cabb13
MD5 hash:	b530d5d4f86533f71c33c1e7a49abf20
humanhash:	iowa-island-emma-speaker
File name:	7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	901'632 bytes
First seen:	2026-03-18 09:03:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bcb6279034d7e809dbdb9a832073e963 (1 x CobaltStrike)
ssdeep	6144:bpK/NNyWLrz/WXoAPrmwt7WwsNrN01WWm+EhycZhKqjo1WHUHkNrjxS+ZCKfXT:9gNNymH+X3NK01fmdysFSjHYr5k
Threatray	73 similar samples on MalwareBazaar
TLSH	T19B158DE0A69476DAC1BB9D3CC5867714D57170155320DBCB10AC42AE6E2FAE82E3B7F0
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

cobaltstrike

ID:

File name:

7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1.exe

Verdict:

Malicious activity

Analysis date:

2026-03-18 07:44:23 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/01a0e8fd-3c47-420c-b5e8-724416dea543

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/57907/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ba57d793b644ca466b36d0

Tags:

cobaltstrike ransomware obfuscated virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Connection attempt

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobalt cobalt cobaltstrike explorer fingerprint krypt lolbin microsoft_visual_cc obfuscated packed payload

Link:

https://www.filescan.io/uploads/69ba6a90493cb7d62d03e86a/reports/a9071194-7804-48f5-95d6-20bb20ca1686/overview

Verdict:

Malicious

Labled as:

Dump:Generic.Cobaltstrike.Marte.B

Link:

https://www.hybrid-analysis.com/sample/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan.Win32.Inject.sb Trojan.Win32.CobaltStrike.sb Trojan.Win32.CobaltStrike.mz HEUR:Trojan.Win32.CobaltStrike.gen Trojan.CobaltStrike.HTTP.C&C Trojan.Cobalt.HTTP.C&C Trojan.Win64.Cobalt.sb

Link:

https://opentip.kaspersky.com/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d3de1027-bf53-4f4d-8108-ae901bf44393

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1885443

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found malware configuration

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sets debug register (to hijack the execution of another thread)

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1

Threat name:

Win64.Trojan.CobaltstrikeMarte

Status:

Malicious

First seen:

2026-03-18 07:44:29 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=polxr3mflhlrjitpyqwbfiuxmwgiiqpopebxpfcmvj6s2lxoa2qq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

46196f889bde8f7d74dab2eda145215ac33eb4451aab8705d71bd6ea3c20988c

CobaltStrike

5bcef00c270c39cbe34fab65226ca6e442e99dc4e0d42e6a5c1039c105ffa95f

CobaltStrike

64db468d9c3d860ef9f014b1b7020a1089249eb169220cc3bd3018f232b992aa

CobaltStrike

b640c53e2c02f08aa8ca3db62c628abcaa1694ffec33a59d69d88f5e2d1552aa

CobaltStrike

fcf2dfb4bbc60cfcf233616f5b995859d233dc46c108bbce16c49dec186e6416

CobaltStrike

+ 63 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000000 backdoor trojan

Link:

https://tria.ge/reports/260318-k1qp3acs9n/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Cobaltstrike

Cobaltstrike family

Malware Config

C2 Extraction:

http://85.121.148.88:42871/kunkun/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1

MD5 hash:

b530d5d4f86533f71c33c1e7a49abf20

SHA1 hash:

4d0edc94337076c1d6e3d16a5b6e39da17cabb13

Detections:

cobaltstrike_xor_config

Link:

https://www.unpac.me/results/71c1f807-fc64-452b-861d-05e94663c5f1/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7b9778ed8559/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b9778ed8559d714a26fc42c12a297658c8441ee790377944caa7d2d2eee06a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HKTL_CobaltStrike_Beacon_XOR_Strings Create hunting rule
Author:	Elastic
Description:	Identifies XOR'd strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	Linux_Trojan_Generic_5e3bc3b3 Create hunting rule
Author:	Elastic Security
Description:	Rule for custom Trojan found in Linux REF6138.

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57907/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample