MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9
SHA3-384 hash: 0b3f9b5142c4fa2c4395ae7db5cb7c769a678f3d8590e53912fd41428b5b836e7a9931a596d742b65f4b94d16e20554b
SHA1 hash: a131e7658fc7aff9262f24b23514e0f5d6a8e898
MD5 hash: 2d9182d1442bb5eb07db3212ea96a93f
humanhash: lamp-jig-vermont-mobile
File name:2d9182d1442bb5eb07db3212ea96a93f.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:205'312 bytes
First seen:2021-08-24 16:32:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3bdc58d7d3add14fdfc74404aa032a2d (7 x RaccoonStealer, 3 x RedLineStealer, 2 x CoinMiner)
ssdeep 3072:QGkXn5xpAcSu32/hv056X5nSdJQKtOgMRZafD4UA1b:QG65x6cb25vU8bEcxb
Threatray 3'509 similar samples on MalwareBazaar
TLSH T1E014CE0136A0C833C65645B048D2CFA1E629BD716EA19A4337E8EE6F3E352F17716397
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://185.234.247.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.35/ https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d9182d1442bb5eb07db3212ea96a93f.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-24 16:35:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97adb86d-b04c-4374-8beb-3dcdb48de215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181969/
Detection(s):
Win.Packed.Fragtor-9888193-0
Create hunting rule

Win.Packed.Generic-9888247-0
Create hunting rule

Win.Packed.Generic-9888321-0
Create hunting rule

Win.Packed.Generic-9888330-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Reading critical registry keys
Setting browser functions hooks
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10b713b2-17f4-4757-ad83-f6a7fc9b8d5a
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838444
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470875 Sample: vrTEp3LkwG.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 92 msn.com 2->92 94 hotmail-com.olc.protection.outlook.com 2->94 96 125 other IPs or domains 2->96 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 128 16 other signatures 2->128 11 vrTEp3LkwG.exe 2->11         started        14 drciwii 2->14         started        16 gknjvebx.exe 2->16         started        18 5 other processes 2->18 signatures3 126 System process connects to network (likely due to code injection or exploit) 94->126 process4 signatures5 164 Detected unpacking (changes PE section rights) 11->164 20 vrTEp3LkwG.exe 11->20         started        166 Multi AV Scanner detection for dropped file 14->166 23 drciwii 14->23         started        168 Writes to foreign memory regions 16->168 170 Allocates memory in foreign processes 16->170 172 Injects a PE file into a foreign processes 16->172 25 WerFault.exe 18->25         started        27 WerFault.exe 18->27         started        process6 signatures7 130 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->130 132 Maps a DLL or memory area into another process 20->132 134 Checks if the current machine is a virtual machine (disk enumeration) 20->134 29 explorer.exe 19 20->29 injected 136 Creates a thread in another existing process (thread injection) 23->136 process8 dnsIp9 108 185.49.70.90, 2080, 49755 LEASEWEB-DE-FRA-10DE United Kingdom 29->108 110 readinglistforaugust2.xyz 95.213.224.6, 80 SELECTELRU Russian Federation 29->110 112 3 other IPs or domains 29->112 84 C:\Users\user\AppData\Roaming\drciwii, PE32 29->84 dropped 86 C:\Users\user\AppData\Local\Temp\FBB6.exe, PE32 29->86 dropped 88 C:\Users\user\AppData\Local\Temp\F57B.exe, PE32 29->88 dropped 90 7 other malicious files 29->90 dropped 178 System process connects to network (likely due to code injection or exploit) 29->178 180 Benign windows process drops PE files 29->180 182 Performs DNS queries to domains with low reputation 29->182 184 2 other signatures 29->184 34 FBB6.exe 29->34         started        39 ED7A.exe 2 29->39         started        41 explorer.exe 29->41         started        43 8 other processes 29->43 file10 signatures11 process12 dnsIp13 98 geoiptool.com 158.69.65.151, 443, 49756, 49757 OVHFR Canada 34->98 100 www.geodatatool.com 34->100 102 eur.olc.protection.outlook.com 34->102 80 C:\Users\user\AppData\Roaming\...\taskeng.exe, PE32 34->80 dropped 138 Multi AV Scanner detection for dropped file 34->138 140 May check the online IP address of the machine 34->140 142 Contains functionality to inject threads in other processes 34->142 45 taskeng.exe 34->45         started        82 C:\Users\user\AppData\Local\...\gknjvebx.exe, PE32 39->82 dropped 144 Detected unpacking (changes PE section rights) 39->144 158 2 other signatures 39->158 49 cmd.exe 39->49         started        52 cmd.exe 39->52         started        54 sc.exe 39->54         started        62 3 other processes 39->62 104 readinglistforaugust3.xyz 41->104 146 System process connects to network (likely due to code injection or exploit) 41->146 148 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->148 150 Tries to steal Mail credentials (via file access) 41->150 160 2 other signatures 41->160 106 download.virka.tech 185.178.208.180, 443, 49753 DDOS-GUARDRU Russian Federation 43->106 152 Query firmware table information (likely to detect VMs) 43->152 154 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->154 156 Machine Learning detection for dropped file 43->156 162 4 other signatures 43->162 56 conhost.exe 43->56         started        58 WerFault.exe 43->58         started        60 WerFault.exe 43->60         started        64 2 other processes 43->64 file14 signatures15 process16 dnsIp17 114 geoiptool.com 45->114 116 iplogger.org 88.99.66.31, 443, 49772, 49773 HETZNER-ASDE Germany 45->116 118 www.geodatatool.com 45->118 174 Multi AV Scanner detection for dropped file 45->174 176 May check the online IP address of the machine 45->176 78 C:\Windows\SysWOW64\...\gknjvebx.exe (copy), PE32 49->78 dropped 66 conhost.exe 49->66         started        68 conhost.exe 52->68         started        70 conhost.exe 54->70         started        72 conhost.exe 62->72         started        74 conhost.exe 62->74         started        76 conhost.exe 62->76         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 16:33:05 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnl2t3bb2jb56reabdpcgknp3xfza6s3pygfnmvpq5vaa5yvi3uq._file
Verdict:
suspicious
Similar samples:
11d175a08e1f4fc351af4e4c2c0549168d4c235a497f3bc1f278e8cb46b972e1
CoinMiner
5152274dbe1cc44da156f29d1ff2858e583237bdc24ced137265cd3668ba851e
CoinMiner
5fc5ab3f922510924c13f1018ba4d5d94f990f3885da41d68a38603020cf9b27
CoinMiner
608248c1ef7bab54f8a7aeffaf618187a6f20d3bc829a6c6de625e2a2a376f2b
CoinMiner
78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7
CoinMiner
92e576963128d956b98f423af33a3a2395e6a16f7d44855cfc2fff71c0651329
CoinMiner
a19317b14abc6d4c1294aaaeab29d0ada023dffa37025c839671c193a74fd519
CoinMiner
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
CoinMiner
+ 3'499 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:buran family:raccoon family:redline family:smokeloader family:tofsee botnet:b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:paypertest backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210824-agfynj51m2/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Buran
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
49.12.104.30:42222
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/0cc1b324-9c02-4530-abea-95c8687a15fd/
SH256 hash:
0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9
MD5 hash:
2d9182d1442bb5eb07db3212ea96a93f
SHA1 hash:
a131e7658fc7aff9262f24b23514e0f5d6a8e898
Link:
https://www.unpac.me/results/0cc1b324-9c02-4530-abea-95c8687a15fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0b57a9ec21d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181969/

Comments