MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd
SHA3-384 hash:	5e8e39aab3d08f824e5eafcb9e516f12d4fac6dce3f3b7566eec940397e27d7c1ddabe7709974fa32b8dc34f14ef63ce
SHA1 hash:	e66e92450ac91503c32c1f1ceaf7a239a458ba1a
MD5 hash:	7ab26b169ff0d679b5e9f98901255ef5
humanhash:	tennis-jersey-autumn-red
File name:	197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd
Download:	download sample
File size:	4'945'687 bytes
First seen:	2020-11-10 06:55:11 UTC
Last seen:	2024-07-24 11:44:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	73db5c9b52201f07943a77eb03757432 (6 x CobaltStrike, 3 x Riskware.Generic)
ssdeep	98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRx3UV:53EnsxxDt73DdKrwapwb4V
Threatray	169 similar samples on MalwareBazaar
TLSH	3836339134C0E4B3E467003D7787C37995FAB9B42B12D45637F4AACA2977BE36A22305
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Dropper.Razy-7170446-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Creating a file

Sending a custom TCP request

Creating a file in the system32 subdirectories

Modifying an executable file

Changing a file

Creating a file in the mass storage device

Changing critical settings of the Internet Explorer browser

Infecting executable files

Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd/

Threat name:

Win64.Trojan.SmokeLoader

Status:

Malicious

First seen:

2020-11-10 06:57:41 UTC

AV detection:

40 of 48 (83.33%)

Threat level:

5/5

Verdict:

unknown

0a411cd463b91000f0a2a032d04ff3855bb458a4bb395e441ed7d9b313a99d29

17684b236187ddef5261ac3f1ffc88b41da74b4df7963003c2ee7c732035ebba

179a9cbd204f59591634d4289b4b9494a72d655021e06caf41b1e615df989b4c

30739896ea12185d27e0921b2703f0c540950a3e90c374f2f252db4d654630b4

5934cc132902dec2b1e57bcd79cab21acaafd4b3eca7566dba6d912d56ecad28

6819aeef46bdb64eb7f72f5ba764c618808e83cd169e678923d6c0103e78b8fe

7d2ef88de4820aae52a0062afc1dc0bcb93647254db69ced2a75304c5bef8d63

907816fef8920a22d1c447d6bb6d91e1926ac02612b247f490eff489d625794d

b77dd1dbfede33d9a526773a528ce16e02617325db7ab4c82b9491409a284deb

+ 159 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence upx

Link:

https://tria.ge/reports/201110-pleg97v41n/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops file in System32 directory

Adds Run key to start application

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample