MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a2bb971f0f05345aa23dca99a77d15532693c5a0566a41b935d26a4112811c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	2a2bb971f0f05345aa23dca99a77d15532693c5a0566a41b935d26a4112811c0
SHA3-384 hash:	9a8389d0e814f582e6e02b1c1b51ff37398d52ca871148aeb4083674a458bd54694d4ad372d662b1a94a3e6e9e20716e
SHA1 hash:	492fc571f3e153afa90d0594bedbc121b91be067
MD5 hash:	29b886d66c23733313488602e3ad18cc
humanhash:	three-muppet-triple-one
File name:	2a2bb971f0f05345aa23dca99a77d15532693c5a0566a41b935d26a4112811c0
Download:	download sample
File size:	14'224'151 bytes
First seen:	2020-11-10 07:22:52 UTC
Last seen:	2024-07-24 12:31:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:vXu8tziVr7nlqquDUxB1cpEWQGhmeENwHEFoWLx:veQzahuDYK3tmerHm
Threatray	169 similar samples on MalwareBazaar
TLSH	C3E68D27F5E204FDC67FD17082979732BA31786942307BAB1B90DA752F12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Sending a custom TCP request

Modifying an executable file

Changing a file

Creating a file in the mass storage device

Changing critical settings of the Internet Explorer browser

Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file

Infecting executable files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2a2bb971f0f05345aa23dca99a77d15532693c5a0566a41b935d26a4112811c0/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 07:28:11 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

unknown

474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778

6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b

a3edd6e0c0e4fb41b51afca909be6b628640530e31c4fff6f74a5779a1179ea9

a6716509395bbeb0b27d4f384927e7c5b3e75f9fa6e1def742340ab128c15a89

bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821

c7fdc6e8e80f30dc2855d60f22e5a18ee5a42dcb66f482e2bbc0e0d916bf75f2

d263ca7460c0c002e23422c350e23bc02ced51761458bfed03f2941592d54436

dcfd02a40fd58287e3aabf98e3774100722b9822c04d9d0be269bffaf9482ff4

fcc5bef36e730a597a6d44bea725ddcd467dcab38bb662df529d1b0a00f815c2

+ 159 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike upx

Link:

https://tria.ge/reports/201110-blzhgc69fj/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample