MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3137c02412d367b5dbffb3a72c0b2ccc0fe6c1a89dd630f18e4bec5349514cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	d3137c02412d367b5dbffb3a72c0b2ccc0fe6c1a89dd630f18e4bec5349514cf
SHA3-384 hash:	260f3efa95fd9c0997d4e4a03e1838114db9ac94a184b46c7ea289c216ba79ba014a0f531706fab57b35e8e7b371501d
SHA1 hash:	ebea870b70ad9377cbc3b8671552803f00ccaa9c
MD5 hash:	715acb85d4b00010f63e2c06d42c2a57
humanhash:	november-violet-kentucky-yellow
File name:	d3137c02412d367b5dbffb3a72c0b2ccc0fe6c1a89dd630f18e4bec5349514cf
Download:	download sample
File size:	5'463'445 bytes
First seen:	2020-11-10 08:43:42 UTC
Last seen:	2024-07-24 21:44:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep	49152:ROdWCCi7/ral56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibm56utgpPFotBER/mQ32lUe
Threatray	259 similar samples on MalwareBazaar
TLSH	A8465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Win.Trojan.Razy-7331645-0

Win.Trojan.Razy-7332867-0

Win.Trojan.Razy-7364523-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3137c02412d367b5dbffb3a72c0b2ccc0fe6c1a89dd630f18e4bec5349514cf/

Threat name:

Win64.Trojan.CoinMiner

Status:

Malicious

First seen:

2020-11-10 08:46:40 UTC

AV detection:

38 of 48 (79.17%)

Threat level:

5/5

Verdict:

suspicious

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92

3f1e339e2e45d0b97927276a435d04d13a5b0588099dcb601ff15765f53de928

4ddc1eaa51866cbdf3e467f65be8366f8c05960e0d76674b65e761f7d95484fa

6d4e6584f39efa25689cc4238eafafec1a6864d1af82dff2ab75d7342c79925f

8647060b18549a49cb609bdbb5bd8558555615a0544a0c73e54d8b576323ac39

8eb80880a0d26e905223a4c9c42f8e7564c35708571ed61d8e9fd4616b1fed56

9d3f7ea3c85a1685b79829ae1ea387fb8cbc996b406dde4d922143d603298428

be5b5c879a8e70403f12c22660361e1962bc356b7e683c7d6d2504927bbcc565

c46cff69cc9ef05a705a38ebfe88bb02408610ee374171cb8585372d55466410

+ 249 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan upx

Link:

https://tria.ge/reports/201110-wafee4xe3x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

UPX packed file

Cobalt Strike reflective loader

Cobaltstrike

Malware Config

C2 Extraction:

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample