MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a
SHA3-384 hash: 303f9b1ef6d37ac764d0afa8d7ce3c0ab986ae9ea187cc3a95d368d99f6e464b89170f1f1d70d114b7a531de8e9916f0
SHA1 hash: 28b7d7ba8e546702160080b2ac5279bd4ad6e3f3
MD5 hash: edbdc79ca19e5e076aff56a68b55fae8
humanhash: pennsylvania-red-london-green
File name:5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a
Download: download sample
File size:11'220'247 bytes
First seen:2020-11-10 09:05:21 UTC
Last seen:2024-07-24 14:58:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep 196608:JSUo8q3IA70wpnuD6vrI+/oB13Cm7BhLJi7gCsLiR:JpVqTfuDvHtBh0gCx
Threatray 168 similar samples on MalwareBazaar
TLSH ABB67D27F4E204F9CA7FD07086979772BA31746A43307BA71F90EA751E12F906A2E714
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Malware.Tofsee-6896728-0
Create hunting rule

Win.Malware.Tofsee-7057860-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Changing a file
Modifying an executable file
Creating a file in the system32 directory
Launching the default Windows debugger (dwwin.exe)
Creating a window
Changing critical settings of the Internet Explorer browser
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a/
Threat name:
Win64.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 09:06:40 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
00a3e2570e8dc8c1ed1feb39921939046d3d1e054d8262e48692ac215c7497f7
0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347
0c3155d4c87559a9fb87f0341c84a91b0ed6d17c1a3bbf5f1ffa2647cab8be53
39dd710b8b286e59558fc4d5b4108174cd3bb5dec3b59dcb1c26ade48be035a2
474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778
8187b1e047ab685c1c47ebf14c27ff25acd8f0d185e0b97f66e9da4541a58b5f
8228d0bcf1de93c74dfebfae7a4bcb40c7022cbd9dc7b952f95a149987eb726c
98479114ba34e54a2677c023118977d7f3e432bd4f587f4e4043eac0d4302d72
a0e77464bcaf8c4f00f9eef0accc1d0437937595dd442de8ff98858812226910
f76cbbad83d664efe35bb003a855850e13f4096ca4d75b470eb11745661d3722
+ 158 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike
Link:
https://tria.ge/reports/201110-jqh1856ct2/
Behaviour
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Drops autorun.inf file
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Unpacked files
SH256 hash:
5fc2660796cdbcb5b96f0ec909f1b1e038b93ce0afdb7326e76bc486efec811a
MD5 hash:
edbdc79ca19e5e076aff56a68b55fae8
SHA1 hash:
28b7d7ba8e546702160080b2ac5279bd4ad6e3f3
Link:
https://www.unpac.me/results/e2f720bd-8fa2-4139-8139-a147369b65ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments