MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9efb439f8cfd33e2c97e5014abe4d1c9630c2144afb22de988b548c4035a4e46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9efb439f8cfd33e2c97e5014abe4d1c9630c2144afb22de988b548c4035a4e46
SHA3-384 hash: 2910245565029065031f84f6231549d33cee39de22c8e2a5bd020e3cff5c6f7ad72b78e1bf7345df45646ce189293b7f
SHA1 hash: 111477022e497dd051916cb778268ac3cd4b9c8e
MD5 hash: c65f9c598ce2b8e7a5438fd97942f965
humanhash: bluebird-one-stairway-timing
File name:9efb439f8cfd33e2c97e5014abe4d1c9630c2144afb22de988b548c4035a4e46
Download: download sample
File size:6'218'597 bytes
First seen:2020-11-10 07:55:57 UTC
Last seen:2024-07-24 19:41:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 71f37f91c14c4729e462a32b6b2ae9d4 (27 x CoinMiner, 12 x CobaltStrike)
ssdeep 98304:1n47+XbdfE0pZH556utgpPFotBER/mQ32lU8:ltj56utgpPF8u/78
Threatray 180 similar samples on MalwareBazaar
TLSH 34565C41EDAB01F2EB8712308CB74E5F633372190335E6C3DA650A6FE9276E46A36751
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Coinminer.Generic-7151250-0
Create hunting rule

Win.Coinminer.Generic-7151253-0
Create hunting rule

Win.Coinminer.Generic-7151447-0
Create hunting rule

Win.Coinminer.Generic-7151488-0
Create hunting rule

Win.Coinminer.Generic-7155777-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Win.Trojan.Razy-7331645-0
Create hunting rule

Win.Trojan.Razy-7332867-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/527898
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Found strings related to Crypto-Mining
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9efb439f8cfd33e2c97e5014abe4d1c9630c2144afb22de988b548c4035a4e46/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 07:58:56 UTC
AV detection:
40 of 48 (83.33%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1fe5a9d860602bdc2ec975126ca6c46b42fded7c9e11191c0e9e1e5302dc66ae
2d1944507ece8757b364b80692ab3130927f7451075bbc8277ebb9ac2052e176
36b524d91eb5c4313af3e09d8b53e4d4d2590bc037bcbc90b481b3eccecc239f
873cfab70ca782bb2ce65fecd9eaad7aa2d49ad9e48ac1afb33bdcfb44aa3a3a
8f40564dcfe4ebf65df0e782346375c9f980338b746581747c7fc307a39da15e
a706fe832df8b57b3f94f6cc1b9f20d792e94f81b58e68224459b7a5afffc0e4
a861087f4fbdbcaad53dc3eabafb1d82bfc2cf46e27730fbbef38c2747d809a1
c0c9c13bf11b722014ef09fc4b6f7d045b9f7ba7ed3b057b0a5ce086a3d00d6c
d566aae38bc2455458a9745b23e5708f34837d58f875617f5e42f5790e90417c
e3fcbfe9b714c41381c506593b1afa767b300d7831f0f3776f82e7a8513222b2
+ 170 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan upx
Link:
https://tria.ge/reports/201110-m1b277y4a2/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
UPX packed file
Cobalt Strike reflective loader
Cobaltstrike
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments