MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9533cd209fef9cfb6f69e4755c3cc0ceb63b32f2a70f7a71feecd4fde93d8ac6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9533cd209fef9cfb6f69e4755c3cc0ceb63b32f2a70f7a71feecd4fde93d8ac6
SHA3-384 hash: 060c427ef3c92ffd472636c7df2d8bb850e3429c4d811167ec01511977946258f13be86572f89962df47cb51283dff04
SHA1 hash: bb28fc7193106498f86f1304315864b03564a84c
MD5 hash: dd38f8dc369d9d794a16c70e97e51e37
humanhash: helium-wolfram-video-oklahoma
File name:9533cd209fef9cfb6f69e4755c3cc0ceb63b32f2a70f7a71feecd4fde93d8ac6
Download: download sample
File size:11'067'598 bytes
First seen:2020-11-10 08:44:51 UTC
Last seen:2024-07-24 19:14:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep 196608:miXxriFZCVnzruEuDa2hljj1CU1Hnz9Tp66Xz:m+Ni8zZuDX46nzH64
Threatray 169 similar samples on MalwareBazaar
TLSH 5EB67D27F5A304FDC67FD17082979332BA3178A942307BAB1B94D6752F12F906A2E714
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Malware.Tofsee-6896728-0
Create hunting rule

Win.Malware.Tofsee-7057860-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the system32 directory
Sending a custom TCP request
Creating a file
Connection attempt
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9533cd209fef9cfb6f69e4755c3cc0ceb63b32f2a70f7a71feecd4fde93d8ac6/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 08:47:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
122ec58305457383ce015846fe9598d3ff42c7eae8de6d936d5751b31e75b18f
14e4b0ffba8ddb85ba6675ab2436b56f3f1a0747e74192dca3055f960d746821
207baef67d279f7a610295723d1f619d1696feead9b9bc7991ac7798cd4db685
2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7
59a183ac03488ada3515b20bbf3cc3f018a84e77837ace9c3588903a785e0353
85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a
9c3b39f9ea962517cb7c94e8ee96501ef0db2a1c60029061dd2af0102b5de1cc
a3edd6e0c0e4fb41b51afca909be6b628640530e31c4fff6f74a5779a1179ea9
bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821
d263ca7460c0c002e23422c350e23bc02ced51761458bfed03f2941592d54436
+ 159 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike
Link:
https://tria.ge/reports/201110-a5pj81yyds/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer start page
Drops file in Program Files directory
Drops autorun.inf file
Legitimate hosting services abused for malware hosting/C2
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments