MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23
SHA3-384 hash:	ba085f40325f78911ee2421fc31ac06daf1efe3b9cdedf6e2da9636579096cb90fddacbb1ab0bc6132d9608e2444fa72
SHA1 hash:	a3aace8c3aa00149b2f24c78406841d7e47b425a
MD5 hash:	a5d8ce1bb2d3246ad9d6614937818c39
humanhash:	hot-october-black-salami
File name:	1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23
Download:	download sample
File size:	5'462'180 bytes
First seen:	2020-11-10 08:45:20 UTC
Last seen:	2024-07-24 11:51:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/raV56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibW56utgpPFotBER/mQ32lUl
Threatray	258 similar samples on MalwareBazaar
TLSH	14465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 08:48:23 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

suspicious

1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad

2e53cbd3f68e80c70a977d5013f99cb2d0152bdeacbc160bd6ddeb6e5f1d79bd

5c346f9336dd9981eb26d6e4aa8a702edadbaf677fad6d6d220970de4f2bcbfc

74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641

7678ec0b4aa2395a3fd72e05c02b1c0def409ffd28dc39823f17f419bfc9602e

9b3084dc2f60c23d77c8c976a1b876f8bfebd28be665a0da049bd5af4f7a1168

ac5e7850f89e0ad6535f76b95b990be09acddf739e977e7bfa91b45d6a2436d5

cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09

e1be27c730a0ede0d14b3db060e32624de0d823debd3c873e8418ee849760236

+ 248 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-z6gz4d2hy2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample