MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5168ea739c73173a9013bd4cf17ee56836a4c5025787ecbdee96feb8cce82b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	5168ea739c73173a9013bd4cf17ee56836a4c5025787ecbdee96feb8cce82b1d
SHA3-384 hash:	54d5cdbf15bea5768003dfc698bca46b8fc6e2e35eeb29839a45a8c33132971a6e59ef68c69bfc6b9d75311a30e61fff
SHA1 hash:	bb831b8fb95ba33ed0a738cf2ff3b94e89172658
MD5 hash:	c0b2304f1cebf06532f78902e6d84e9e
humanhash:	illinois-kentucky-steak-connecticut
File name:	5168ea739c73173a9013bd4cf17ee56836a4c5025787ecbdee96feb8cce82b1d
Download:	download sample
File size:	11'368'727 bytes
First seen:	2020-11-10 06:39:50 UTC
Last seen:	2024-07-24 14:14:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:vjJhTnrwx7Y/CzuDjtrPTdduuUtS5PLwHEFoWAe:vdBnC5uDRZg5S5kHA
Threatray	169 similar samples on MalwareBazaar
TLSH	50B67D27F5E204FDC67FD17082979732BA31786942307BAB1B90DA752F12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Coinminer.Generic-7158858-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Sending a custom TCP request

Creating a file in the system32 subdirectories

Modifying an executable file

Changing a file

Connection attempt

Changing critical settings of the Internet Explorer browser

Creating a file in the mass storage device

Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file

Infecting executable files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5168ea739c73173a9013bd4cf17ee56836a4c5025787ecbdee96feb8cce82b1d/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 06:41:40 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

unknown

28077a71b3aff9c96a58949ab21b2c9494ff76bbe29ea5df497fa9e2fc26b5a0

3e528ae82c1f0a1e531ebefb50870eaf369d3a03064c41bf0020e1f84f08007b

40060eb0d5e769d9a65987c9c1bace3525e0fe6b6ca0f1b5693b2ba4871d032b

85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a

9c1c3f79f2695b16bead4cd1a59ab513e01afa4e85ce69401698192f50caffeb

a6716509395bbeb0b27d4f384927e7c5b3e75f9fa6e1def742340ab128c15a89

bde1275ab6b4bbc22a323c9735cb678e039f3b3504613ab27225664dd91c5632

db7d5e8ea7cf618b776d4321f36f80bd652f95124b603c606c2c663db9c8fcd8

eeefbf3fc5eaa2e8a586e76409ca853df354aaee653f6496bafc0f07629ce54d

+ 159 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-9bzx2f5q7s/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample