MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe765b161ea026ac8ea581b5158c9f1686c2bfb800f8ab379781e2cbc64dd34a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe765b161ea026ac8ea581b5158c9f1686c2bfb800f8ab379781e2cbc64dd34a
SHA3-384 hash: e320f9754ca875b61712ab90e6ee2753bbe5c7d14b104c62c852832ce7b1ca790185aab7c68aeafdcd1020edfe45652b
SHA1 hash: e36611bc24010bfe958228c375e5303c48c9f184
MD5 hash: 9e2213e6e22db4e4f7f22ac7ef76b308
humanhash: washington-avocado-coffee-crazy
File name:fe765b161ea026ac8ea581b5158c9f1686c2bfb800f8ab379781e2cbc64dd34a
Download: download sample
File size:5'462'686 bytes
First seen:2020-11-10 09:11:17 UTC
Last seen:2024-07-24 23:28:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 227fe66ff6f22dec0266a5718d365ece (39 x CoinMiner, 1 x CobaltStrike, 1 x Berbew)
ssdeep 49152:ROdWCCi7/raC56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibp56utgpPFotBER/mQ32lUd
Threatray 262 similar samples on MalwareBazaar
TLSH ED465C41ED9B45F2EB8712308CB31E5F6333B2190335EAC3DA654A6FE5276E46B36241
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

Win.Trojan.Razy-7331645-0
Create hunting rule

Win.Trojan.Razy-7332867-0
Create hunting rule

Win.Trojan.Razy-7364523-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe765b161ea026ac8ea581b5158c9f1686c2bfb800f8ab379781e2cbc64dd34a/
Threat name:
Win64.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 09:13:08 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
072694fbed06bdddfa1935539deea591543163bec90c821cc07e5c34db5cd519
0e1a67e3f9f273af8df4d73ca9faf02acd963117babed391f9a8caeb5c4e3fde
1e50a6169593f13f606adfe24a312a576653bdbb5688d7106a063c9a174d8b2d
22f52343a08d9df34006583847ac1d7fe29ed8c351fa8a3be9a57f11af747ea6
320b33dd8238469b367c6f2a381be0adabe277f9e209f24422cfef7f393a368a
7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8
8c7cb6899388a6a8508d50cb30d4b6f371ce72d54cbf28fd8acbf0e05a8bc2f4
da9648f3a908fa5c14386ee30570b3465ec26dde00bccd3555d5de74d49eec7b
ddf12627ac05a185047807aa961c819a0b9bf6949e01d3c18aa2f277e87bca85
e04dd6ecda2af82e6087b201788ef15011a410d4fd72b5a0b7971ac5e816811f
+ 252 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan upx
Link:
https://tria.ge/reports/201110-w9wp21prpn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
UPX packed file
Cobalt Strike reflective loader
Cobaltstrike
Malware Config
C2 Extraction:
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Unpacked files
SH256 hash:
fe765b161ea026ac8ea581b5158c9f1686c2bfb800f8ab379781e2cbc64dd34a
MD5 hash:
9e2213e6e22db4e4f7f22ac7ef76b308
SHA1 hash:
e36611bc24010bfe958228c375e5303c48c9f184
Link:
https://www.unpac.me/results/9dfaed0b-efd5-48a2-bab1-6680746e5f21/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments