MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09
SHA3-384 hash:	42cdae8ea0f31936c6a49cddbad6faa16b30bc7ce0da1a834c7a31409e294b4c772394e7bf4aa4812e12a23baeb63905
SHA1 hash:	e5faf3755cbc71051543c5580b2259dc21e14704
MD5 hash:	fab72936b905a06716be2becfbcf3266
humanhash:	november-beer-apart-iowa
File name:	cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09
Download:	download sample
File size:	5'463'445 bytes
First seen:	2020-11-10 07:52:30 UTC
Last seen:	2024-07-24 21:34:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/rap56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBib656utgpPFotBER/mQ32lU3
Threatray	263 similar samples on MalwareBazaar
TLSH	F1465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf0e10dcf0bf39e4a116ae6b86c56446e162c9737a103065b95040f3da957a09/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 07:55:24 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

suspicious

1b8bffdd083669bb12c6e459e8fb5c875e44fca7e6a5a7b31fa15236b16d9a23

1d6181663237ede309548b15f49d773ff3274b974fa1285ab8b7d19b0f8be7ad

2e53cbd3f68e80c70a977d5013f99cb2d0152bdeacbc160bd6ddeb6e5f1d79bd

5c346f9336dd9981eb26d6e4aa8a702edadbaf677fad6d6d220970de4f2bcbfc

74004b90602918427c47d5130cbe215387a94dccf36af203bb173ca49f24a641

7678ec0b4aa2395a3fd72e05c02b1c0def409ffd28dc39823f17f419bfc9602e

9b3084dc2f60c23d77c8c976a1b876f8bfebd28be665a0da049bd5af4f7a1168

ac5e7850f89e0ad6535f76b95b990be09acddf739e977e7bfa91b45d6a2436d5

e1be27c730a0ede0d14b3db060e32624de0d823debd3c873e8418ee849760236

+ 253 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-1h9p9lld4j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample