MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d39fddfb18e3b21f9fe716810e8110423b7223d6e697f309e144d9c80e045e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d39fddfb18e3b21f9fe716810e8110423b7223d6e697f309e144d9c80e045e98
SHA3-384 hash: 5c73717ccbb75946403b68a7835803b8360fb6de220bf6b5ec80dcf999c15a7000548659aef37499f94916d26aed9e82
SHA1 hash: 65c12357690928dcb2f7bfabdba1aaa34fd98c65
MD5 hash: d68dd74f835e3a830a6ba1d32046d7ab
humanhash: eighteen-delta-earth-leopard
File name:d39fddfb18e3b21f9fe716810e8110423b7223d6e697f309e144d9c80e045e98
Download: download sample
File size:11'172'119 bytes
First seen:2020-11-10 08:45:46 UTC
Last seen:2024-07-24 21:47:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f06dc709a5b17f58964c6e5478a768b5 (4 x CobaltStrike, 4 x Riskware.Generic, 1 x CoinMiner)
ssdeep 196608:XYqRILQax1+cehuD0QP08YF4HTk4UT3gTi7gCsLZo:XhqLn4uDgo6T3DgC9
Threatray 167 similar samples on MalwareBazaar
TLSH 0AB67D27F4E204F9CA7FD07086979772BA31746A43307BA71F90EA751E12F906A2E714
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
52
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Malware.Tofsee-6896728-0
Create hunting rule

Win.Malware.Tofsee-7057860-0
Create hunting rule

Win.Coinminer.Generic-7158858-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Creating a file in the system32 directory
Sending a custom TCP request
Changing a file
Modifying an executable file
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d39fddfb18e3b21f9fe716810e8110423b7223d6e697f309e144d9c80e045e98/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 08:48:35 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
207baef67d279f7a610295723d1f619d1696feead9b9bc7991ac7798cd4db685
28077a71b3aff9c96a58949ab21b2c9494ff76bbe29ea5df497fa9e2fc26b5a0
2abd579c1a1fd0474b42cb95fb354633bb01eedf4838582d7962a996f6fcc0f7
395f6a85c334c571e8e1c15704ccc89d66cd84d3e17f61fa575224531b71d115
3a9c4cf06a98848d800eaf6c4cd4a30e50b4123079c3ba71dd69cfb9554b3ad8
474186239b198102d48b399c5f9336a63672c52af39ac35443e7c42078cbf778
85a588bc7e92b4e3a32b439477d47a54da61a22f9bb333e4257966ae291d383a
9c3b39f9ea962517cb7c94e8ee96501ef0db2a1c60029061dd2af0102b5de1cc
a6716509395bbeb0b27d4f384927e7c5b3e75f9fa6e1def742340ab128c15a89
bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821
+ 157 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike
Link:
https://tria.ge/reports/201110-dm5fqbnwcx/
Behaviour
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Drops autorun.inf file
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments