MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad
SHA3-384 hash:	482d96bf4da8f057817849f161c01c930bcb8e796b3cef53d6e64405413bdc32f90398d125839b12207beb5ac7c79e2b
SHA1 hash:	198a3014790de9a4f36e0b18d63071616bc25f24
MD5 hash:	93285c922f369702878f8168a725982a
humanhash:	mockingbird-twelve-mountain-minnesota
File name:	1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad
Download:	download sample
File size:	5'462'939 bytes
First seen:	2020-11-10 07:21:59 UTC
Last seen:	2024-07-24 11:55:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/raO56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibl56utgpPFotBER/mQ32lUa
Threatray	259 similar samples on MalwareBazaar
TLSH	62465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 07:27:45 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

suspicious

1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23

2e53cbd3f68e80c70a977d5013f99cb2d0152bdeacbc160bd6ddeb6e5f1d79bd

5c346f9336dd9981eb26d6e4aa8a702edadbaf677fad6d6d220970de4f2bcbfc

74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641

7678ec0b4aa2395a3fd72e05c02b1c0def409ffd28dc39823f17f419bfc9602e

9b3084dc2f60c23d77c8c976a1b876f8bfebd28be665a0da049bd5af4f7a1168

ac5e7850f89e0ad6535f76b95b990be09acddf739e977e7bfa91b45d6a2436d5

cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09

e1be27c730a0ede0d14b3db060e32624de0d823debd3c873e8418ee849760236

+ 249 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-9n91afcxwj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample