MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf
SHA3-384 hash: 56b449b1ebd94586eefba08b9f2425b37ae258c3d06923e6dc1eeda7a4da239f0b66ba598279603c90e2704ce3a303b2
SHA1 hash: 5a403a70fcfa04d867ffef2215227ec210f31f57
MD5 hash: 7c1385cdfdd131225d182c6886848036
humanhash: oregon-oklahoma-arkansas-paris
File name:7c1385cdfdd131225d182c6886848036.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:307'200 bytes
First seen:2021-12-18 07:51:00 UTC
Last seen:2021-12-18 09:47:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41c28fe7acb4d2c92a8bad32895fbc24 (7 x RedLineStealer, 4 x ArkeiStealer, 3 x Amadey)
ssdeep 6144:Ho7Tw7ugNkqtCIY8gm271wD+OG/hMSoBiwln:0EnU8gn71wD+OWMSoBiS
Threatray 5'930 similar samples on MalwareBazaar
TLSH T1D5649E00B7E0D435F1B752F449BAD3ADA53EBAA15B2591CB52D826EE07386E0EC71307
File icon (PE):PE icon
dhash icon 25ec137031939b91 (2 x RedLineStealer, 2 x CoinMiner, 2 x Stop)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
86.107.197.138:38133

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.138:38133 https://threatfox.abuse.ch/ioc/277061/

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.20023.6164.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2452/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61bd92ebec6c6c14a9df668d/reports/6f63036c-f828-45a2-b5c4-0593b09e9beb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e3bc934-a4cb-4668-811d-6cd182dac21f
Result
Threat name:
Amadey BazaLoader Djvu RedLine SmokeLoad
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909460
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Uses netsh to modify the Windows network and firewall settings
Yara detected Amadey bot
Yara detected BazaLoader
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 541938 Sample: r5XFZVA30A.exe Startdate: 18/12/2021 Architecture: WINDOWS Score: 100 55 zyvireiz.bazar 2->55 57 yzviuzzo.bazar 2->57 59 45 other IPs or domains 2->59 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Antivirus detection for URL or domain 2->81 85 19 other signatures 2->85 10 r5XFZVA30A.exe 2->10         started        12 svchost.exe 1 1 2->12         started        15 rahtuch 2->15         started        17 3 other processes 2->17 signatures3 83 Tries to resolve many domain names, but no domain seems valid 57->83 process4 dnsIp5 19 r5XFZVA30A.exe 10->19         started        67 127.0.0.1 unknown unknown 12->67 22 rahtuch 15->22         started        process6 signatures7 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->87 89 Maps a DLL or memory area into another process 19->89 91 Checks if the current machine is a virtual machine (disk enumeration) 19->91 93 Creates a thread in another existing process (thread injection) 19->93 24 explorer.exe 10 19->24 injected process8 dnsIp9 61 host-data-coin-11.com 24->61 63 omkexyiz.bazar 24->63 65 25 other IPs or domains 24->65 47 C:\Users\user\AppData\Roaming\rahtuch, PE32 24->47 dropped 49 C:\Users\user\AppData\Local\Temp\D595.exe, PE32 24->49 dropped 51 C:\Users\user\AppData\Local\Temp\C8E2.exe, PE32 24->51 dropped 53 18 other files (8 malicious) 24->53 dropped 103 System process connects to network (likely due to code injection or exploit) 24->103 105 Benign windows process drops PE files 24->105 107 Deletes itself after installation 24->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->109 29 AAF8.exe 2 24->29         started        33 101E.exe 24->33         started        35 9859.exe 24->35         started        37 3 other processes 24->37 file10 111 Tries to resolve many domain names, but no domain seems valid 63->111 signatures11 process12 dnsIp13 69 109.234.38.101, 25717 VDSINA-ASRU Russian Federation 29->69 113 Detected unpacking (changes PE section rights) 29->113 115 Query firmware table information (likely to detect VMs) 29->115 117 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->117 133 4 other signatures 29->133 119 Multi AV Scanner detection for dropped file 33->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->121 123 Maps a DLL or memory area into another process 33->123 135 2 other signatures 33->135 40 9859.exe 35->40         started        71 zyozrevu.bazar 37->71 73 zyoxuzzo.bazar 37->73 75 81 other IPs or domains 37->75 43 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 37->43 dropped 45 C:\ProgramData\sqlite3.dll, PE32 37->45 dropped 125 System process connects to network (likely due to code injection or exploit) 37->125 127 Detected unpacking (overwrites its own PE header) 37->127 129 Tries to harvest and steal browser information (history, passwords, etc) 37->129 file14 131 Tries to resolve many domain names, but no domain seems valid 73->131 signatures15 process16 signatures17 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->95 97 Maps a DLL or memory area into another process 40->97 99 Checks if the current machine is a virtual machine (disk enumeration) 40->99 101 Creates a thread in another existing process (thread injection) 40->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 07:51:10 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=avg3ohgvsbugsaajda64qb7pv4ps3w3oduko62akw6demaeu7k7q._file
Verdict:
malicious
Similar samples:
79c00db1607b8f07618ee3f90f5c4e160c7de05bce6380a7de83171e2eac11d4
CoinMiner
8323b041e6d80d401329e76951ff41bdf30073011cf061765dc0a812b5bccfe1
CoinMiner
8fd931320f4758593e63dfb6ec286383d95a48798cc42789dfeb46b73e60d474
CoinMiner
97846ca62ffbac16afd4ab5cd5abfbce405ccebe5e6a86ee2d6aed87660410ba
CoinMiner
98ee1f2258c8cd317faa79ecf82078857f66bbbadef2b6a664cd6bca7c68195a
CoinMiner
a8f23aa1f7842d8229fe27e9c8be82ef59aaf4829dec489e963034bf744934be
CoinMiner
b1f977415cb0ada91f4a2ba455d315b7a2ca9e7d1a191348fa95edede644a49b
CoinMiner
e35c69fa5d52a1295092a91cb40fb471065619521830af3e5410107536aab19d
CoinMiner
+ 5'920 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:bazarloader family:redline family:smokeloader family:tofsee family:vidar family:warzonerat family:xmrig botnet:1 botnet:1100 backdoor collection discovery dropper evasion infostealer loader miner persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211218-jptrxaeeg9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Bazar/Team9 Loader payload
Vidar Stealer
Warzone RAT Payload
XMRig Miner Payload
Arkei
Bazar Loader
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
WarzoneRat, AveMaria
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
mubrikych.top
oxxyfix.xyz
86.107.197.138:38133
https://noc.social/@sergeev46
https://c.im/@sergeev47
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/f312f484-4b4f-450c-a595-ba4edeefc95e/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf
MD5 hash:
7c1385cdfdd131225d182c6886848036
SHA1 hash:
5a403a70fcfa04d867ffef2215227ec210f31f57
Link:
https://www.unpac.me/results/f312f484-4b4f-450c-a595-ba4edeefc95e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/054db71cd590/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 054db71cd59068690009183dc807efaf1f2ddb6e1d14ef680ab786460094fabf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1865883/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1892559/
Cape
Cape
https://www.capesandbox.com/analysis/214946/

Comments