{
	"id": "7da92f57-7d9f-48de-9c7e-31f18dfd1990",
	"created_at": "2026-04-06T00:17:49.548934Z",
	"updated_at": "2026-04-10T03:24:23.861624Z",
	"deleted_at": null,
	"sha1_hash": "9ff6ee0487e561d6e548b51aeaeb9ac8cf8ed53a",
	"title": "Analyzing Cobalt Strike PowerShell Payload",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 202239,
	"plain_text": "Analyzing Cobalt Strike PowerShell Payload\r\nBy AK1001\r\nPublished: 2024-09-25 · Archived: 2026-04-05 20:13:14 UTC\r\nSince last year, cobalt strike payloads are everywhere. We saw hackers used Cobalt Strike in many attacks. Some\r\nserious cyber incident like SolarWinds supply chain attack [1]. In Proofpoint’s new article, said that Cobalt Strike\r\nis the favorite tool from APT to crimeware [2]. Cobalt Strike is a penetration tool which developed by Strategic\r\nCyber. It’s a good framework for collaboration by Red team.\r\nIn these days, the executable and dll type of cobalt strike payload are most often used in attack. Other’s payload\r\ntype like macro or powershell sometimes were also be delivered by attackers. In this article, let’s analysis the\r\ncobalt strike powershell payload.\r\nSample\r\nMD5: e0315aca119a9b3b7d89184ad2fa2603\r\nSHA-1: bfc928da46d2ae32e2c60373a5d968d2f15e497a\r\nSHA-256: 24b18a60020d05b32b13d2cf1e6d6b1ccda4f0af5fb5ec0da960746fde54b796\r\nPress enter or click to view image in full size\r\nhttps://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b\r\nPage 1 of 2\n\nVirusTotal information\r\nVirusTotal shows there are 28 AV vendors detect this malicious payload. 4 vendors detect it is cobalt strike related\r\nmalware, and 8 vendors detect it as「PwShell.Rozena」. That’s interesting! After I searched what is Rozena, and\r\nI found an analysis report published in 2018 from GDATA [3]. Looks like the malware used some technique of\r\ncommand line to run powershell, performing fileless attacks.\r\nAnalysis\r\nSource: https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b\r\nhttps://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b"
	],
	"report_names": [
		"analyzing-cobalt-strike-powershell-payload-64d55ed3521b"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ff6ee0487e561d6e548b51aeaeb9ac8cf8ed53a.pdf",
		"text": "https://archive.orkl.eu/9ff6ee0487e561d6e548b51aeaeb9ac8cf8ed53a.txt",
		"img": "https://archive.orkl.eu/9ff6ee0487e561d6e548b51aeaeb9ac8cf8ed53a.jpg"
	}
}