MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 17

Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash:	d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1
SHA3-384 hash:	227eeb754a26003a8f5772264c076d8962add4b4d48514db3dc56b66737b7302eb6e0bc1be4940e7da2af74fe024e150
SHA1 hash:	421c6ae3902f7363aa708e61cbf64257a26f4f10
MD5 hash:	b0d13fb92171a04210283bec65de1e19
humanhash:	sweet-foxtrot-oscar-mexico
File name:	apito.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	11'776 bytes
First seen:	2026-02-07 18:32:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	94dfcb980c8d4ed2d51e1f4ceb72b39a (1 x CobaltStrike)
ssdeep	192:vmzQNB2OtjCBvGWuNNp32zM3Q5tfl4+l:vSQNcGjCpE0M3
Threatray	440 similar samples on MalwareBazaar
TLSH	T144322B46FA614CFAE6690239C57B451EE079FA036322A7CF23BC01262F613D271752CD
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Ling
Tags:	CobaltStrike exe Trojan:Win64/TurtleLoader.CS!dha TurtleLoader

CNGaoLing

Trojan:Win64/TurtleLoader.CS!dha

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MetaSploit

Details

MetaSploit

a c2 url

Link:

https://research.acce.ciphertechsolutions.com/results/ef4e20e3-3acb-4fd4-8966-af0a53eb1092/

Malware family:

cobaltstrike

ID:

File name:

apito.exe

Verdict:

Malicious activity

Analysis date:

2026-02-07 15:18:12 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/891527f6-1575-4785-8505-2191d7712eab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeStager

Link:

https://www.capesandbox.com/analysis/52629/

Detection(s):

Win.Trojan.MSShellcode-5

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69876ca0b1f983b8468456ea

Tags:

cobaltstrike cobalt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm cobalt cobalt cobaltstrike microsoft_visual_cc

Link:

https://www.filescan.io/uploads/6987856e981ff1d38a4c6cd1/reports/4bf98777-7bb5-45ce-af8e-dfd9b7028324/overview

Verdict:

Malicious

Labled as:

ShellCode.Marte.2.Generic

Link:

https://www.hybrid-analysis.com/sample/d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-02-07T12:17:00Z UTC

Last seen:

2026-02-07T12:32:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Shlem.sb Trojan.Win64.Shelm.sb Trojan.Win32.Shelm.a HEUR:Trojan.Win64.Shelma.a HEUR:Trojan.Win32.Generic Exploit.Win64.Crun.a

Link:

https://opentip.kaspersky.com/d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1/results?tab=lookup

Malware family:

Metasploit Framework

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c8fb58f-e0af-42b5-9245-6a3c0cdd66bc

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/b0d13fb92171a04210283bec65de1e19

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1

Threat name:

Win64.Backdoor.Meterpreter

Status:

Malicious

First seen:

2026-02-07 16:47:57 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2chglatiqkorsx24eyq57mvzt2yd6tfovs5gpndcvkiiifw2jhiq._file

Verdict:

malicious

Label(s):

metasploit

CobaltStrike

18176a8ccc62cced9771a9fb2e2996016d79b2fbd700a15dbdd7467d1b998ee0

CobaltStrike

47336e3f06eb8cae1d4d9e5b93e36587c6a6434583b69e8f04ecb37335783054

CobaltStrike

563d3e127d92bd8b8e15ee95f7d30e950ec30d41d4cd20658f5443273eea96c7

CobaltStrike

5bea4028b99ab2708fff4512578311052755890acb018d5b65b1455193c7f71e

CobaltStrike

63101038b04ac1387a6e8849f6a9c7723120c748a57d663491f81e3b88b96f37

CobaltStrike

error

CobaltStrike

+ 430 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan

Link:

https://tria.ge/reports/260207-w7c84ahw5c/

Behaviour

Cobaltstrike

Cobaltstrike family

Malware Config

C2 Extraction:

http://192.168.139.141:6789/qZ8Z

Unpacked files

SH256 hash:

d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1

MD5 hash:

b0d13fb92171a04210283bec65de1e19

SHA1 hash:

421c6ae3902f7363aa708e61cbf64257a26f4f10

Link:

https://www.unpac.me/results/044543ef-2886-4e8a-a351-6ed01f9fd1cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_RAW_Payload_http_stager_x64 Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	CobaltStrikeStager Create hunting rule
Author:	@dan__mayer <daniel@stairwell.com>
Description:	Cobalt Strike Stager Payload

Rule name:	CobaltStrike_Resources_Httpstager64_Bin_v3_2_through_v4_x Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's resources/httpstager64.bin signature for versions v3.2 to v4.x
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x Create hunting rule
Author:	gssincla@google.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Author:	Elastic Security
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

exe d08e658268829d195f5c2621dfb2b99eb03f4caeacba67b462aa908416da49d1

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/52629/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample