MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347
SHA3-384 hash:	fdda33c7880badb91ac5162c732f61f3f8c3220e1763dd5c9a87177dd904d97772bbbc447d22b89dc15122af48af6094
SHA1 hash:	6df025ae5df5e9144d7cc840b7819915a2614b0d
MD5 hash:	ace8a713822fe2664a62e311030459af
humanhash:	steak-kilo-bluebird-jig
File name:	0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347
Download:	download sample
File size:	11'195'671 bytes
First seen:	2020-11-10 06:38:59 UTC
Last seen:	2024-07-24 11:01:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:F0vN0eD0Uka1jNtuDTzUJG1mDE3ElPSbCfi7gCsL2X:F4Ge4aruDeCuSbdgCH
Threatray	169 similar samples on MalwareBazaar
TLSH	AAB67D27F4E204F9CA7FD07086979772BA31746A43307BA71F90EA751E12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Coinminer.Generic-7158858-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Sending a custom TCP request

Changing a file

Modifying an executable file

Connection attempt

Creating a window

Modifying a system executable file

Launching the default Windows debugger (dwwin.exe)

Infecting executable files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 06:40:12 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

unknown

2ec0880418b3a5697ac69cecb0f194d2a6a2e5785f1dded079c5e12056d45c31

3a9c4cf06a98848d800eaf6c4cd4a30e50b4123079c3ba71dd69cfb9554b3ad8

40060eb0d5e769d9a65987c9c1bace3525e0fe6b6ca0f1b5693b2ba4871d032b

5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a

7f42cb8b36103e8140f03dce854015c32cb5f20635361838a82581d9796cfa2d

85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a

922d893e23a33a3ad96428f86dc0f4c835eb73988cc16bbaa9caa1851627f182

a0e77464bcaf8c4f00f9eef0accc1d0437937595dd442de8ff98858812226910

a6716509395bbeb0b27d4f384927e7c5b3e75f9fa6e1def742340ab128c15a89

+ 159 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-2adpwjb6ya/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample