MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17684b236187ddef5261ac3f1ffc88b41da74b4df7963003c2ee7c732035ebba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	17684b236187ddef5261ac3f1ffc88b41da74b4df7963003c2ee7c732035ebba
SHA3-384 hash:	efb23b0101ab11b43b9553f535b14d57901aaae9e8906d80c427b325f9c0cc589b53c7dbb25d6ad60be42185da73b69d
SHA1 hash:	51af3f60ec4cdadfc87dd888b333e68cbda4bd4f
MD5 hash:	bf1c4ec817e188267e4b4fd6f7e77e20
humanhash:	seventeen-magazine-video-island
File name:	17684b236187ddef5261ac3f1ffc88b41da74b4df7963003c2ee7c732035ebba
Download:	download sample
File size:	4'882'199 bytes
First seen:	2020-11-10 07:22:24 UTC
Last seen:	2024-07-24 11:38:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	73db5c9b52201f07943a77eb03757432 (6 x CobaltStrike, 3 x Riskware.Generic)
ssdeep	98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxbU4:53EnsxxDt73DdKrwapwbk4
Threatray	169 similar samples on MalwareBazaar
TLSH	4F36339134D0E4B3E427003E7387C37995F6B5B42B51D86637F5AAC925BBBE32622306
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Dropper.Razy-7170446-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Sending a custom TCP request

Modifying an executable file

Changing a file

Connection attempt

Sending a TCP request to an infection source

Infecting executable files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17684b236187ddef5261ac3f1ffc88b41da74b4df7963003c2ee7c732035ebba/

Threat name:

Win64.Trojan.SmokeLoader

Status:

Malicious

First seen:

2020-11-10 07:27:58 UTC

AV detection:

39 of 48 (81.25%)

Threat level:

5/5

Verdict:

unknown

0a411cd463b91000f0a2a032d04ff3855bb458a4bb395e441ed7d9b313a99d29

179a9cbd204f59591634d4289b4b9494a72d655021e06caf41b1e615df989b4c

197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd

30739896ea12185d27e0921b2703f0c540950a3e90c374f2f252db4d654630b4

5934cc132902dec2b1e57bcd79cab21acaafd4b3eca7566dba6d912d56ecad28

6819aeef46bdb64eb7f72f5ba764c618808e83cd169e678923d6c0103e78b8fe

7d2ef88de4820aae52a0062afc1dc0bcb93647254db69ced2a75304c5bef8d63

907816fef8920a22d1c447d6bb6d91e1926ac02612b247f490eff489d625794d

b77dd1dbfede33d9a526773a528ce16e02617325db7ab4c82b9491409a284deb

+ 159 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike upx

Link:

https://tria.ge/reports/201110-wexr3ar8v6/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample