MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9b5cce5bd4102fcd4fba76b5451eb649435f48e6a246ce8b91dc318a2e68c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	b9b5cce5bd4102fcd4fba76b5451eb649435f48e6a246ce8b91dc318a2e68c6d
SHA3-384 hash:	ff80c92429995bc3448d2f29c40df8d2d34f3d60cda477c8c0586e69ef90bc832ac4af9a9fe0265ce635b077248589e5
SHA1 hash:	d2147cbb518b1f7dc22b4a9e9f8b53ea22c1b66a
MD5 hash:	b44098f7e546a1570bb2a01226fa44ab
humanhash:	coffee-jersey-bakerloo-ten
File name:	b9b5cce5bd4102fcd4fba76b5451eb649435f48e6a246ce8b91dc318a2e68c6d
Download:	download sample
File size:	11'224'343 bytes
First seen:	2020-11-10 06:56:52 UTC
Last seen:	2024-07-24 20:47:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep	196608:tNZrFn2Hjku0KTuD+qubc7co8lINTAuwHEFoWYI:trRnr+uDKQ5BNTIHK
Threatray	169 similar samples on MalwareBazaar
TLSH	81B67D27F5E204FDC67FD17082979732BA31786942307BAB1B90DA752F12F906A2E714
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Malware.Tofsee-6896728-0

Win.Malware.Tofsee-7057860-0

Win.Coinminer.Generic-7158858-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Creating a file

Sending a custom TCP request

Creating a file in the system32 subdirectories

Modifying an executable file

Changing a file

Changing critical settings of the Internet Explorer browser

Sending a TCP request to an infection source

Infecting executable files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9b5cce5bd4102fcd4fba76b5451eb649435f48e6a246ce8b91dc318a2e68c6d/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 06:59:29 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

unknown

0c3155d4c87559a9fb87f0341c84a91b0ed6d17c1a3bbf5f1ffa2647cab8be53

474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778

66b8846f0ccc67ba20161ee2e9203aad1bf3d2e49c53a7faab5f0c21df037956

85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a

90306e0e077ee4cddd2df457644fa24d5d81ec9fedbfa379bef88061ade4b25c

98d147700b0922b044195c52d79c719e3754704b61d01cf33f347d3c55e14f82

a0e77464bcaf8c4f00f9eef0accc1d0437937595dd442de8ff98858812226910

bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821

d263ca7460c0c002e23422c350e23bc02ced51761458bfed03f2941592d54436

+ 159 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/201110-gpn5dw4dte/

Behaviour

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Program Files directory

Drops autorun.inf file

Drops file in System32 directory

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample