MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
SHA3-384 hash: 0eb5580fa9ba5edcb0d82578b16b5102e3c3b1e3126d02e38816193c4668501934a31d15da6aac2cb75269133de6d95b
SHA1 hash: 5a2fcbfe9811f238d72e966c8497bc893481daa5
MD5 hash: 1461c916cd8dc3c0acbbf3668c904580
humanhash: orange-montana-mobile-lithium
File name:miner.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:5'769'728 bytes
First seen:2020-12-07 18:36:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 98304:k2cPK8KCv7/yO8SpaB7thFVane3dBYz7Q3gfBwlNUNPTReABhqUZCRLZ:/CKzCveO9krhFV2ezYfQQf2lNUFUYfZC
Threatray 952 similar samples on MalwareBazaar
TLSH 9646231263E6D072FF9A92739B26B24596BC79644033842F135C2DB9BD706B1637E323
Reporter Anonymous
Tags:Cobalt Strike

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
miner.exe
Verdict:
Malicious activity
Analysis date:
2020-12-07 18:38:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10059e5a-0951-4cb2-b97f-029a6df14f31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107080/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Meterpreter Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557220
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected Meterpreter
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327704 Sample: miner.exe Startdate: 07/12/2020 Architecture: WINDOWS Score: 100 111 Malicious sample detected (through community Yara rule) 2->111 113 Antivirus detection for dropped file 2->113 115 Antivirus / Scanner detection for submitted sample 2->115 117 16 other signatures 2->117 14 miner.exe 3 21 2->14         started        process3 file4 99 C:\ProgramData\Defender\d.exe, PE32+ 14->99 dropped 101 C:\ProgramData\Defender\ab.exe, PE32 14->101 dropped 103 C:\ProgramData\Defender\t.bat, DOS 14->103 dropped 105 3 other files (none is malicious) 14->105 dropped 17 ac.exe 5 14->17         started        20 wscript.exe 1 14->20         started        23 ab.exe 9 14->23         started        process5 file6 83 C:\ProgramData\Defender\min.exe, PE32 17->83 dropped 25 min.exe 24 17->25         started        119 Wscript starts Powershell (via cmd or directly) 20->119 29 d.exe 20->29         started        31 cmd.exe 1 20->31         started        85 C:\ProgramData\Defender\dc.exe, PE32 23->85 dropped 121 Multi AV Scanner detection for dropped file 23->121 33 wscript.exe 1 23->33         started        signatures7 process8 file9 91 C:\ProgramData\Task Host\svchost.exe, PE32+ 25->91 dropped 93 C:\ProgramData\...\Windows Protection.exe, PE32+ 25->93 dropped 95 C:\ProgramData\Defender\WinRing0x64.sys, PE32+ 25->95 dropped 97 5 other malicious files 25->97 dropped 129 Antivirus detection for dropped file 25->129 131 Binary is likely a compiled AutoIt script file 25->131 133 Sample is not signed and drops a device driver 25->133 135 Drops PE files with benign system names 25->135 35 Start.exe 8 25->35         started        137 Multi AV Scanner detection for dropped file 29->137 39 conhost.exe 31->39         started        41 schtasks.exe 1 31->41         started        139 Wscript starts Powershell (via cmd or directly) 33->139 43 cmd.exe 1 33->43         started        45 d.exe 33->45         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\Temp\...\402D.bat, ASCII 35->87 dropped 123 Multi AV Scanner detection for dropped file 35->123 47 cmd.exe 35->47         started        49 conhost.exe 43->49         started        51 schtasks.exe 1 43->51         started        signatures13 process14 process15 53 wscript.exe 47->53         started        56 svchost.exe 47->56         started        59 conhost.exe 47->59         started        61 2 other processes 47->61 dnsIp16 125 Wscript starts Powershell (via cmd or directly) 53->125 63 cmd.exe 53->63         started        66 svchost.exe 53->66         started        109 172.94.88.173, 49755, 49758, 5501 SOFTLAYERUS United States 56->109 signatures17 process18 signatures19 141 Wscript starts Powershell (via cmd or directly) 63->141 68 powershell.exe 63->68         started        71 conhost.exe 63->71         started        143 System process connects to network (likely due to code injection or exploit) 66->143 process20 file21 89 C:\Users\user\AppData\...\p3d2g0nn.cmdline, UTF-8 68->89 dropped 73 wscript.exe 68->73         started        76 wscript.exe 68->76         started        78 csc.exe 68->78         started        process22 file23 127 Wscript starts Powershell (via cmd or directly) 73->127 107 C:\Users\user\AppData\Local\...\p3d2g0nn.dll, PE32 78->107 dropped 81 cvtres.exe 78->81         started        signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9/
Threat name:
Win32.Trojan.Reconyc
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 18:37:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
2af42a2047b16f2dea0038365058a8d8b7f71152117c371ce7f593e47aa785d1
CobaltStrike
4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168
CobaltStrike
593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da
CobaltStrike
9282d409b92e1ebf58829283933edea243f7ccf3b68456139986c7cb5949522d
CobaltStrike
d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048
CobaltStrike
dc504935b4a0f6059ba40c20803c7cf22b5c3a5f0b20226e36003df979bcbd4a
CobaltStrike
ede75c0a88d80043f79025dfd8ef91c3d1b01a1613f4a0347b2ceb29f8b19578
CobaltStrike
f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab
CobaltStrike
f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949
CobaltStrike
fb780f623a78c9b5aa8a279430731b84d0efe937ea5684f80182e4f896e8e288
CobaltStrike
+ 942 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/201207-jdsdnfheks/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
0844f16e4087d92a57c5fae7d2d6c7a98443863cabdcb41cc581033731d7c2d2
MD5 hash:
063002186570994d1cb0a8beeac21921
SHA1 hash:
6ef06954587fb08657b107dffd6805fd2824a21f
Link:
https://www.unpac.me/results/ba67aaf1-6757-4ed5-a2a6-0272ca28ac55/
SH256 hash:
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
MD5 hash:
1461c916cd8dc3c0acbbf3668c904580
SHA1 hash:
5a2fcbfe9811f238d72e966c8497bc893481daa5
Link:
https://www.unpac.me/results/ba67aaf1-6757-4ed5-a2a6-0272ca28ac55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/107080/

Comments