MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641
SHA3-384 hash:	2d01a338fad0d9bfbf471c9575303948ef3054277ce8e51880fc7d49b225902e3ef7b2aa5a2d7832264659a6edce551d
SHA1 hash:	5fa6a4a58129fdc2582a82081758d5de09d72d01
MD5 hash:	e00465c6dbedd53346de993325e0e4c3
humanhash:	romeo-eleven-sink-item
File name:	74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641
Download:	download sample
File size:	5'463'698 bytes
First seen:	2020-11-10 07:22:05 UTC
Last seen:	2024-07-24 16:08:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/ral56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibe56utgpPFotBER/mQ32lUa
Threatray	260 similar samples on MalwareBazaar
TLSH	39465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 07:27:49 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

suspicious

1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23

1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad

2e53cbd3f68e80c70a977d5013f99cb2d0152bdeacbc160bd6ddeb6e5f1d79bd

5c346f9336dd9981eb26d6e4aa8a702edadbaf677fad6d6d220970de4f2bcbfc

7678ec0b4aa2395a3fd72e05c02b1c0def409ffd28dc39823f17f419bfc9602e

9b3084dc2f60c23d77c8c976a1b876f8bfebd28be665a0da049bd5af4f7a1168

ac5e7850f89e0ad6535f76b95b990be09acddf739e977e7bfa91b45d6a2436d5

cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09

e1be27c730a0ede0d14b3db060e32624de0d823debd3c873e8418ee849760236

+ 250 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-7x49d9sm8n/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample