MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898
SHA3-384 hash: 2d3057963472ce48baac55b7ddc53a34a0b6aa3f29bf36074ada6125d07a431bfc1eba593f63890aeb54cea345f6269c
SHA1 hash: c1aa720cc06c07acc8141fab84cdb8f9566c0994
MD5 hash: b0f998e526aa724a696ccb2a75ff4f59
humanhash: cola-sink-steak-quebec
File name:05E2540B7113609289FFB8CCDCB605AA6DAC2873DCCE1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'052'160 bytes
First seen:2022-01-23 14:10:51 UTC
Last seen:2022-01-23 15:43:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93fd4ae8d78e56fe707a53a5a49cf9e3 (1 x DiamondFox, 1 x RedLineStealer, 1 x CoinMiner)
ssdeep 12288:JD7rEZjryS6s2iVHuvd3rRtyncxQRhJJzhoqgH5sB4dxHGho:JDnmT20CrRhQRh9B4dw
TLSH T170257D10B3D89A26D6EE1370F0B4492946F5FE31BB72E78F5644B4AC1A73BC198107A7
File icon (PE):PE icon
dhash icon f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
91.243.59.147:33459

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.147:33459 https://threatfox.abuse.ch/ioc/313093/

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://free4pc.org/idm-crack/
Verdict:
Malicious activity
Analysis date:
2021-08-30 04:38:57 UTC
Tags:
trojan stealer vidar rat redline loader evasion opendir raccoon unwanted netsupport
Link:
https://app.any.run/tasks/c54b2c9e-0954-4c73-840b-09f04fbfe742

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221714/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.13154.3714.6664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Sending an HTTP GET request
Creating a window
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed packed replace.exe zusy
Link:
https://www.filescan.io/uploads/61ed61faf81da814af9cc0f1/reports/72ad4f71-8872-427b-84f7-7606e12630dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70f20edc-5c2d-433b-be7f-6e25958f867f
Result
Threat name:
RedLine Vidar onlyLogger
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925851
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies Chrome's extension installation force list
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558329 Sample: 05E2540B7113609289FFB8CCDCB... Startdate: 23/01/2022 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for domain / URL 2->85 87 Antivirus detection for URL or domain 2->87 89 Antivirus detection for dropped file 2->89 91 22 other signatures 2->91 8 05E2540B7113609289FFB8CCDCB605AA6DAC2873DCCE1.exe 4 77 2->8         started        process3 dnsIp4 79 37.0.10.214 WKD-ASIE Netherlands 8->79 81 37.0.10.244 WKD-ASIE Netherlands 8->81 83 16 other IPs or domains 8->83 45 C:\Users\...\y8Ru_zucY1zEKzAn8egc3Axe.exe, PE32 8->45 dropped 47 C:\Users\...\xnk1GfT7ux5sPCC68Q1ZoZTr.exe, PE32 8->47 dropped 49 C:\Users\...\wXH9cq6L2UgYR6iH5soBXJty.exe, PE32 8->49 dropped 51 44 other files (23 malicious) 8->51 dropped 97 Creates HTML files with .exe extension (expired dropper behavior) 8->97 99 Tries to harvest and steal browser information (history, passwords, etc) 8->99 101 Disable Windows Defender real time protection (registry) 8->101 103 Writes many files with high entropy 8->103 13 Ka1UG2K1X77noA2Sk5KhhjzA.exe 8->13         started        16 y8Ru_zucY1zEKzAn8egc3Axe.exe 17 8->16         started        19 sLGkRpWfKIvJtQXH5biZ46yI.exe 8->19         started        21 12 other processes 8->21 file5 signatures6 process7 dnsIp8 53 C:\Program Files (x86)\...\rtst1039.exe, PE32+ 13->53 dropped 67 3 other files (2 malicious) 13->67 dropped 71 149.154.167.99 TELEGRAMRU United Kingdom 16->71 55 C:\Users\...\ru9BkbOS3lo1QKo2F2o77Ulv.exe, PE32 16->55 dropped 57 C:\...\PowerControl_Svc.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 16->59 dropped 24 ru9BkbOS3lo1QKo2F2o77Ulv.exe 16->24         started        26 schtasks.exe 16->26         started        28 schtasks.exe 16->28         started        61 C:\Users\user\AppData\Local\...\Install.exe, PE32 19->61 dropped 63 C:\Users\user\AppData\Local\...\config.txt, data 19->63 dropped 73 20.54.104.15 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->73 75 20.54.7.98 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->75 77 4 other IPs or domains 21->77 65 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 21->65 dropped 69 13 other files (none is malicious) 21->69 dropped 93 Tries to harvest and steal browser information (history, passwords, etc) 21->93 95 Hides threads from debuggers 21->95 30 poCp0EkF8CXRsAyl5UuGVycG.exe 21->30         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        37 G0mtywTJiiTfsxLIzTHCisVE.exe 21->37         started        file9 signatures10 process11 signatures12 39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        105 Modifies Chrome's extension installation force list 30->105 process13
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898/
Threat name:
Win32.Downloader.SmallAgent
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 18:35:48 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
32 of 43 (74.42%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=axrfic3rcnqjfcp7xdgnznqfvjw2ykdt3thbatcd7pklp5mlrcma._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:vidar botnet:1114 botnet:1bc6116182dfd33bce1052fe9bb0415968161030 botnet:26ba8731a23ebe331ca665e334da5a21506c1e2d botnet:4c585dd595f87d872b81110ef04a868eee9e5c6b evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220123-rg9r6agba5/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
https://mastodon.online/@prophef1
https://koyu.space/@prophef2
Unpacked files
SH256 hash:
05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898
MD5 hash:
b0f998e526aa724a696ccb2a75ff4f59
SHA1 hash:
c1aa720cc06c07acc8141fab84cdb8f9566c0994
Link:
https://www.unpac.me/results/895e0f90-9357-4195-8dce-15678bd76adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221714/

Comments