MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c476ad6ceac119f980d2432249d719128629bf33905c46bc5b34def76e84291b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c476ad6ceac119f980d2432249d719128629bf33905c46bc5b34def76e84291b
SHA3-384 hash: eec65e0fc180da650d6eeed49fc0f1110afb6445b879b9e6f0db7163769d58b2d74307c24bfd7b9e1262bf04ac5072fa
SHA1 hash: 4a2a9f670e8d50807a31d4a69b0b5cd910a93036
MD5 hash: fa57ff7ac303bf24bf8c34f19c225036
humanhash: red-oranges-beryllium-north
File name:c476ad6ceac119f980d2432249d719128629bf33905c46bc5b34def76e84291b
Download: download sample
File size:15'102'773 bytes
First seen:2020-11-10 08:44:37 UTC
Last seen:2024-07-24 21:15:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep 196608:/aLp1RPyrMtb5iuDDyZwqdsU20YzSqmBDkfsLwn:/q3RdiuDhhhSq6kft
Threatray 168 similar samples on MalwareBazaar
TLSH 9AE68D27F4E204F9CA7FD07086979772BA31746943307BA71F90EA752E12F906A2E714
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Malware.Tofsee-6896728-0
Create hunting rule

Win.Malware.Tofsee-7057860-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the system32 directory
Changing a file
Sending a custom TCP request
Modifying an executable file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing critical settings of the Internet Explorer browser
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c476ad6ceac119f980d2432249d719128629bf33905c46bc5b34def76e84291b/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 08:47:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
06f23466e4038c0b30a1db7168ccfd0c1b5eab69337352d3389403f52ddc6e65
0997dd01a7962e8949d6865d70d7fe6c9771055276123ef2615c721dbc804347
3e528ae82c1f0a1e531ebefb50870eaf369d3a03064c41bf0020e1f84f08007b
40060eb0d5e769d9a65987c9c1bace3525e0fe6b6ca0f1b5693b2ba4871d032b
6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b
8404922269db9017b6d8834f7043cfc75df0b321b3cd3e5e385a9a811a59819c
a3edd6e0c0e4fb41b51afca909be6b628640530e31c4fff6f74a5779a1179ea9
c7fdc6e8e80f30dc2855d60f22e5a18ee5a42dcb66f482e2bbc0e0d916bf75f2
dcfd02a40fd58287e3aabf98e3774100722b9822c04d9d0be269bffaf9482ff4
fcc5bef36e730a597a6d44bea725ddcd467dcab38bb662df529d1b0a00f815c2
+ 158 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike upx
Link:
https://tria.ge/reports/201110-t4nqkweszx/
Behaviour
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Drops autorun.inf file
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments