MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a
SHA3-384 hash:	75a8e77282bfe529dc3eb0bc28d1ac40d83e0939c74c5fbf3ec630690179f803c7d2540922961ce758b5b500a3ca50c6
SHA1 hash:	6d42a93cd8106a55ad3d4c16cfbd37c4ea01ab13
MD5 hash:	606448dcd58e3be531616b03bc788da6
humanhash:	pip-spring-sixteen-ohio
File name:	85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a
Download:	download sample
File size:	11'286'807 bytes
First seen:	2020-11-10 06:39:09 UTC
Last seen:	2024-07-24 18:21:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:vTLFsH7Rqaa8TxduDo1vkXe5f8d4n0xPwHEFoW1A:vXSH1HDuDHulxn0iHN
Threatray	168 similar samples on MalwareBazaar
TLSH	3AB67D27F5E204FDC67FD17082979732BA31786942307BAB1B90DA752F12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Coinminer.Generic-7158858-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file in the system32 directory

Creating a file

Sending a custom TCP request

Creating a file in the system32 subdirectories

Modifying an executable file

Changing a file

Launching the default Windows debugger (dwwin.exe)

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Infecting executable files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 06:41:13 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

unknown

0c3155d4c87559a9fb87f0341c84a91b0ed6d17c1a3bbf5f1ffa2647cab8be53

2ec0880418b3a5697ac69cecb0f194d2a6a2e5785f1dded079c5e12056d45c31

3a9c4cf06a98848d800eaf6c4cd4a30e50b4123079c3ba71dd69cfb9554b3ad8

8228d0bcf1de93c74dfebfae7a4bcb40c7022cbd9dc7b952f95a149987eb726c

9c1c3f79f2695b16bead4cd1a59ab513e01afa4e85ce69401698192f50caffeb

b9b5cce5bd4102fcd4fba76b5451eb649435f48e6a246ce8b91dc318a2e68c6d

c7fdc6e8e80f30dc2855d60f22e5a18ee5a42dcb66f482e2bbc0e0d916bf75f2

db7d5e8ea7cf618b776d4321f36f80bd652f95124b603c606c2c663db9c8fcd8

e36f3a7871e2b5056d56a65c212819d56fa723c8cc96e0c83e8270a205c3321f

+ 158 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-elpq5hhgfn/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample