MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cobalt Strike


Vendor detections: 13


Intelligence 13 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
SHA3-384 hash: 6d522c3611dd43ce8b33c6f61cf456aaaf9e03cbbab446da5d95e13b5f978f7347b4ab3755eae9a8b58ee6788f06eb5d
SHA1 hash: 2e20c8878c2be89ad453ca8c1c9ef2c6e4778686
MD5 hash: cbbef1e038d1b7826c464d33a4e9b104
humanhash: oranges-violet-pizza-william
File name:北京地铁运营公司-基于自主定位和自主感知的信号备用系统研究项目举报函.exe
Download: download sample
Signature Cobalt Strike
Create hunting rule
File size:2'864'640 bytes
First seen:2025-12-22 09:39:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d457ad8ac36fc9f18d45bffcd450c2 (24 x CobaltStrike, 8 x Sliver, 5 x Lazarus)
ssdeep 49152:W6/DXW4G1gKry+8XoUjXBX4OJqM8a40lB/dtwqS1H2t:9Dm8lXHea40lftb8
Threatray 98 similar samples on MalwareBazaar
TLSH T12ED59E4BBCE054A9D4AA533289B262927B75BC440F3233D72E90B37C2F76BC15A39754
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 60e0d48284c4e0cc (1 x CobaltStrike, 1 x Cobalt Strike)
Reporter Ling
Tags:Cobalt Strike CobaltstrikeBeacon exe Trojan:Win64/CobaltStrikeBeacon!rfn


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win64/CobaltStrikeBeacon!rfn)

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ea07b91e-f17e-4edb-b467-14c2319fa937
Verdict:
No threats detected
Analysis date:
2025-12-22 09:42:21 UTC
Tags:
golang
Link:
https://app.any.run/tasks/ea07b91e-f17e-4edb-b467-14c2319fa937

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45709/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6949120fa6c88bb4cc2370d6
Tags:
dridex
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
DNS request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-21T14:01:00Z UTC
Last seen:
2025-12-22T08:57:00Z UTC
Hits:
~100
Detections:
Backdoor.Cobalt.HTTP.C&C Trojan.Win64.Cobalt.sb Trojan.Win64.Agent.sb Trojan.Win32.CobaltStrike.sb Trojan.Win32.CobaltStrike.mz Trojan.Win32.CobaltStrike.mmj Trojan.Win32.Agent.sb BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3ce7feae-2f44-48a2-be01-7b6d59da726b
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cbbef1e038d1b7826c464d33a4e9b104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824/
Verdict:
Malicious
Threat:
Family.COBALTSTRIKE
Link:
https://tip.neiki.dev/file/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 23:22:06 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2rh5ux6jzeo5p3z6bc3kcvytpqtqwlgeakvyp2hu5n7dom2xasa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
192613b36558938cc3174c6fe947255a288a5eecee2d7532b890a47d7023b3f1
Cobalt Strike
1e5c0566095b5fd64e3d75f7370e99ffc3dd100fd1e5d28087f2f4ab1ceea319
Cobalt Strike
3f26083185d0dc5ed2e4b5c96539458b9689f221eeb04528581f336e2d9958fb
Cobalt Strike
4ce210ed888ef0799aade75a3764c2c4186efc4923be5e9860ccdb3d346a4114
Cobalt Strike
734c7766a4d18c7eb8f9b5d9763b4a1a2292f6c1e30d624607f725f6af9ae3fb
Cobalt Strike
bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
Cobalt Strike
error
Cobalt Strike
fcf2dfb4bbc60cfcf233616f5b995859d233dc46c108bbce16c49dec186e6416
Cobalt Strike
+ 88 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/251223-kph6vazrhs/
Behaviour
Cobaltstrike
Cobaltstrike family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0960ed66-ebb9-4da7-b1ba-a307906f4076
Unpacked files
SH256 hash:
bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824
MD5 hash:
cbbef1e038d1b7826c464d33a4e9b104
SHA1 hash:
2e20c8878c2be89ad453ca8c1c9ef2c6e4778686
Link:
https://www.unpac.me/results/ba69a225-5bb1-4b5d-abdc-2f055eec85c1/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bea27ed2fe4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrike_MZ_Launcher
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike MZ header ReflectiveLoader launcher
Rule name:CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
Rule name:CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_CobaltStrike_1787eef5
Create hunting rule
Author:Elastic Security
Description:CS shellcode variants
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cobalt_strike.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cobalt Strike

Executable exe bea27ed2fe4e48eebf79f045b50ab89be138596620155c3f47a75bf1b99ab824

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45709/

Comments