MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b
SHA3-384 hash: 94b03b048d1489d27b18ed79792c8b59209eb4eb56a350f864cebd8ecda118937fbf1204bda43839fde583f21d710e60
SHA1 hash: 1509c8eee47d5c18db16cf905391eb313237f649
MD5 hash: e2489b471fa6c083c1139cc4e5621581
humanhash: enemy-enemy-low-stream
File name:6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b
Download: download sample
File size:11'335'959 bytes
First seen:2020-11-10 08:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep 196608:Pos41OFN7/TxG8uDCCWozArb+dpn7j8wHEFoW7M:Pb4OjLuDVc3in7bHf
Threatray 169 similar samples on MalwareBazaar
TLSH 48B67D27F5E204FDC67FD17082979732BA31786942307BAB1B90DA752F12F906A2E714
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Malware.Tofsee-6896728-0
Create hunting rule

Win.Malware.Tofsee-7057860-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Modifying an executable file
Changing a file
Sending a TCP request to an infection source
Creating a file in the mass storage device
Infecting executable files
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 08:47:15 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0c3155d4c87559a9fb87f0341c84a91b0ed6d17c1a3bbf5f1ffa2647cab8be53
122ec58305457383ce015846fe9598d3ff42c7eae8de6d936d5751b31e75b18f
40060eb0d5e769d9a65987c9c1bace3525e0fe6b6ca0f1b5693b2ba4871d032b
474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778
4a8189e1228669e993e25ca158c6fd9d8c1cfa53e10aa9392812e938fd2fd467
90306e0e077ee4cddd2df457644fa24d5d81ec9fedbfa379bef88061ade4b25c
9c1c3f79f2695b16bead4cd1a59ab513e01afa4e85ce69401698192f50caffeb
bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821
c7fdc6e8e80f30dc2855d60f22e5a18ee5a42dcb66f482e2bbc0e0d916bf75f2
eeefbf3fc5eaa2e8a586e76409ca853df354aaee653f6496bafc0f07629ce54d
+ 159 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike persistence
Link:
https://tria.ge/reports/201110-zdbscgngle/
Behaviour
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Drops autorun.inf file
Drops file in System32 directory
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments