MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7
SHA3-384 hash:	ee39136fe152dd4dba692c459757020d7fb6dd3fdcbddf85da4dee732275c7994239fe6baf4cfefbd7be4e23d2aac5e4
SHA1 hash:	9b5387ab37d1303578e3d95ffeba18962c1f99be
MD5 hash:	d4fa23f396b6f737e16c356eebfeec2b
humanhash:	solar-vermont-missouri-bluebird
File name:	2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7
Download:	download sample
File size:	11'304'215 bytes
First seen:	2020-11-10 07:23:57 UTC
Last seen:	2024-07-24 12:33:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:w3OSVIcy72D64quDgfk7TfgyzpdKYT0tPi7gCsLZj:wemIuSuDx35T0YgC2
Threatray	168 similar samples on MalwareBazaar
TLSH	DDB67D27F4E204F9CA7FD07086979772BA31786943307BA71F90EA751E12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Coinminer.Generic-7158858-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Changing a file

Modifying an executable file

Connection attempt

Creating a window

Launching the default Windows debugger (dwwin.exe)

Infecting executable files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 07:28:34 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

unknown

122ec58305457383ce015846fe9598d3ff42c7eae8de6d936d5751b31e75b18f

2ec0880418b3a5697ac69cecb0f194d2a6a2e5785f1dded079c5e12056d45c31

39dd710b8b286e59558fc4d5b4108174cd3bb5dec3b59dcb1c26ade48be035a2

474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778

59a183ac03488ada3515b20bbf3cc3f018a84e77837ace9c3588903a785e0353

85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a

98d147700b0922b044195c52d79c719e3754704b61d01cf33f347d3c55e14f82

bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821

d39fddfb18e3b21f9fe716810e8110423b7223d6e697f309e144d9c80e045e98

+ 158 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike

Link:

https://tria.ge/reports/201110-wj89wdb6d6/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample