MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Metasploit

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e
SHA3-384 hash:	72158706718fabcad95557e915a4df6533939b3c86244e7c7f2dce296bc7081abf4a2a5672ebc10cdddaba3aa8e8dd99
SHA1 hash:	062a3470ea11ef4be3e0ba166f6570a09bc288c4
MD5 hash:	fec125fc2b873fe0bd56c3695e8f7f8a
humanhash:	alpha-october-aspen-juliet
File name:	beacon_x64.ps1
Download:	download sample
Signature	Metasploit Create hunting rule
File size:	396'947 bytes
First seen:	2025-12-08 17:08:53 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	12288:LoC4sPKvWDIPH3NHIpdb+DrYKIZrMMEMsz2e:AvWq9Msz2e
Threatray	1'008 similar samples on MalwareBazaar
TLSH	T1A4846A473F5969ADD212F166E62EB0C235E0B52E94A98AD0B7F2D4F514F802234F43E7
Magika	powershell
Reporter	abuse_ch
Tags:	Metasploit ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

CobaltStrike Rex

Details

CobaltStrike

a configuration XOR key and verbose configuration settings

Rex

a Base64 and XOR decoded component

Link:

https://research.acce.ciphertechsolutions.com/results/14459cef-bf40-4d46-8696-c6d6c82bc719/

Detection(s):

Sanesecurity.Malware.29509.UNOFFICIAL

SecuriteInfo.com.PowerShell.Obfus-4.UNOFFICIAL

Win.Trojan.CobaltStrike-7917400-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69370636881313558a2ba23d

Tags:

cobaltstrike cobalt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cobalt cobalt cobaltstrike metasploit mimikatz obfuscated powershell rozena

Link:

https://www.filescan.io/uploads/693706396019bc7a8f82326f/reports/dfd0e448-3b1e-49f4-9bfc-a22c55f219c4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e

Verdict:

Malicious

File Type:

ps1

First seen:

2025-12-06T20:52:00Z UTC

Last seen:

2025-12-08T07:26:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Cobalt.sb Trojan.Win32.Cobalt.sb Trojan.Win32.CobaltStrike.mz HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Agent.gen Trojan.Win32.Cometer.sb Trojan.Win32.CobaltStrike.sb Trojan.PowerShell.Cobalt.a HEUR:Trojan.Win32.Cometer.gen HEUR:Trojan.Win32.CobaltStrike.gen HEUR:Trojan.Win32.Cobalt.vho HEUR:HackTool.Win32.Inject.heur

Link:

https://opentip.kaspersky.com/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e/results?tab=lookup

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1829005

Signature

AI detected malicious Powershell script

Found suspicious powershell code related to unpacking or dynamic code loading

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MetasploitPayload

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e

Verdict:

Malware

YARA:

1 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated PowerShell

Link:

https://app.malva.re/file/fec125fc2b873fe0bd56c3695e8f7f8a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e

Threat name:

Script-PowerShell.Trojan.CobaltStrike

Status:

Malicious

First seen:

2025-12-02 19:28:43 UTC

File Type:

Text (PowerShell)

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=znphgivaoxrppwtpgynw7uukb2d5xhr3kdvwalr5bgntr4z6nbpa._file

Verdict:

malicious

Label(s):

cobaltstrike

Metasploit

7d9a831dc5c66eb1df2cfa737c5a452b6dcc150c38f1036a2941db6105f3e612

Metasploit

9482ba3e12b789f3228d180ec9eeb477fae73f6a1ec2bdbdcb0b0f2a907cb045

Metasploit

bc66f2d5329a171291bfd55b5447f97b631c825e5119fe28983c7c3f745d9859

Metasploit

error

Metasploit

f0e2fb0bbd3a98e22ff2defbf711d2ab078b9807f34e0f8f81dcb4124f20588b

Metasploit

+ 998 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/251208-vn7sxszraj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cb5e7322a075/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.15

Link:

https://yomi.yoroi.company/submissions/cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_Beacon_Encoded Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13 Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13 Create hunting rule
Author:	gssincla@google.com

Rule name:	Msfpayloads_msf_ref Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Metasploit Payloads - file msf-ref.ps1
Reference:	Internal Research

Rule name:	Msfpayloads_msf_ref_RID2ED5 Create hunting rule
Author:	Florian Roth
Description:	Metasploit Payloads - file msf-ref.ps1
Reference:	Internal Research

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Metasploit

ps1 cb5e7322a075e2f7da6f361b6fd28a0e87db9e3b50eb602e3d099b38f33e685e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3728184/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample