MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cobalt Strike

Vendor detections: 19

Intelligence 19 IOCs YARA 7 File information Comments

SHA256 hash:	ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f
SHA3-384 hash:	0318e626997009af1b19493e4c2cb3fd3cad84c6f356890de7979c82848159a17d4d1a69a3e171f807e776e776cddb5b
SHA1 hash:	a66b81f6def47bd6d3371e1ecdc1040b5c7e5e15
MD5 hash:	8f3ddf8622e8a698126e42cde97c95fb
humanhash:	washington-nine-social-hydrogen
File name:	福建恒安集团-2025年工建生产耗材及备品采购项目公开询价文件.exe
Download:	download sample
Signature	Cobalt Strike Create hunting rule
File size:	8'175'221 bytes
First seen:	2025-09-27 03:30:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep	196608:Aqb0aF7QOz7NCsXDjDyfmdJolpPgToa10/tAN5FOnJ6J0w9H+xZ:hLF7l7NCEDLJ83a101AsN6+x
TLSH	T17F86336456C89FA6F8A6903B4C31AC45D5FA3C2A5211E54F2984372BAEF31744C3FB27
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	kafan_shengui
Tags:	Cobalt Strike CobaltStrike exe

kafan_shengui

Targeted Attack.
C&C: 47.122.63.148

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

-2025.exe

Verdict:

Malicious activity

Analysis date:

2025-09-27 03:30:54 UTC

Tags:

python pyinstaller cobaltstrike

Link:

https://app.any.run/tasks/619821ce-00a6-4fcd-a514-6783e6a0bb1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeStager

Link:

https://www.capesandbox.com/analysis/29207/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.5621.7552.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d75a6afb8bc5050e4f1508

Tags:

cobaltstrike dridex cobalt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

compiled-script expand lolbin microsoft_visual_cc overlay overlay packed pyinstaller pyinstaller python unsafe

Link:

https://www.filescan.io/uploads/68d75a6a674d5fd6aa0e3211/reports/1970dd4b-2f2c-49ae-a139-1d1c2f82b7c8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-27T00:49:00Z UTC

Last seen:

2025-09-27T00:49:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Shelm.sb Trojan.Win64.Cobalt.sb Trojan.Win32.CobaltStrike.lhr BSS:Exploit.Win32.Generic.nblk BSS:Exploit.Win32.Generic Backdoor.Cobalt.HTTP.C&C Trojan-Downloader.Agent.HTTP.C&C Trojan.Win64.Shlem.sb Trojan.Win32.Shelma.a Trojan.Win32.Shelm.a Trojan.Win32.CobaltStrike.sb HackTool.Cobalt.HTTP.C&C

Link:

https://opentip.kaspersky.com/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f/results?tab=lookup

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6467320b-50cf-4a4f-b82d-4435b7120369

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/8f3ddf8622e8a698126e42cde97c95fb

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f/

Verdict:

Malicious

Threat:

Family.COBALTSTRIKE

Link:

https://tip.neiki.dev/file/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f

Threat name:

Win64.Backdoor.Cobeacon

Status:

Malicious

First seen:

2025-09-27 03:30:56 UTC

File Type:

PE+ (Exe)

Extracted files:

678

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5whzsume4xm6g33o2kjkuchsri3bvl4qnibun4bslpt5ffkwochq._file

Verdict:

malicious

Label(s):

metasploit

cobaltstrike

Similar samples:

error

Cobalt Strike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor pyinstaller trojan

Link:

https://tria.ge/reports/250927-d2w5xayzdt/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Cobaltstrike

Cobaltstrike family

Malware Config

C2 Extraction:

http://47.122.63.148:45981/a3Zo

Verdict:

Suspicious

Tags:

Cobalt_Strike c2

YARA:

n/a

Link:

https://app.threat.zone/submission/f1e6fef3-ccdd-4306-963a-472a0e922e32

Unpacked files

SH256 hash:

ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f

MD5 hash:

8f3ddf8622e8a698126e42cde97c95fb

SHA1 hash:

a66b81f6def47bd6d3371e1ecdc1040b5c7e5e15

Link:

https://www.unpac.me/results/01b0e4a7-b953-48bf-b9e1-24ed0dcdf339/

SH256 hash:

6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

MD5 hash:

4a365ffdbde27954e768358f4a4ce82e

SHA1 hash:

a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

Link:

https://www.unpac.me/results/01b0e4a7-b953-48bf-b9e1-24ed0dcdf339/

SH256 hash:

296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

MD5 hash:

89511df61678befa2f62f5025c8c8448

SHA1 hash:

df3961f833b4964f70fcf1c002d9fd7309f53ef8

Link:

https://www.unpac.me/results/01b0e4a7-b953-48bf-b9e1-24ed0dcdf339/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ed8f995184e5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed8f995184e5d9e36f6ed292aa08f28a361aaf906a0346f0325be7d29556708f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29207/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample