MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
SHA3-384 hash: c1ab1b9de425b15c26785a7881e76ec73bcdbdd7b63f497eddd54a2bba9f53c0fc0529b315b213fe4381eb808fea9c24
SHA1 hash: c83a9e70b4649f3173b4df918a48e20a98b9cf3e
MD5 hash: 902b8b84ab8e77279f06d1fa4bb769a3
humanhash: echo-neptune-oven-nitrogen
File name:902b8b84ab8e77279f06d1fa4bb769a3
Download: download sample
Signature CoinMiner
Create hunting rule
File size:459'264 bytes
First seen:2023-08-11 05:36:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 652c7ff7afcc08a2e9c5186e380250b2 (3 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:oy2kubyQXGDbrqBJEvG72Um+VpCYGA4KCVkdpIQaf7PKh4KoC/JolOr0QU:pBYyQXGXrM72mpmvKCVWpXaWBJoP
Threatray 3 similar samples on MalwareBazaar
TLSH T1B8A4C1C37EA1B860F512DE325D3ED2F6263DFD618E59675A2218FA2F04711E1D263B02
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d0ded0c2d9d2dd (1 x CoinMiner, 1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
902b8b84ab8e77279f06d1fa4bb769a3
Verdict:
Malicious activity
Analysis date:
2023-08-11 05:39:46 UTC
Tags:
stealer vidar trojan arkei miner
Link:
https://app.any.run/tasks/d4c545c1-5ddd-4fed-a031-f1aa352b7c45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442070/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.16889.19464.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
71%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64d5c8ff4154db2bd52738be/reports/58e76b53-d68d-4433-9233-79be7b30a22b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkBit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cad07c82-5bee-412c-8f27-8cff1ca44372
Result
Threat name:
MicroClip, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1289812
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected MicroClip
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289812 Sample: Iar9tmdq6s.exe Startdate: 11/08/2023 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 15 other signatures 2->102 9 Iar9tmdq6s.exe 22 2->9         started        14 updater.exe 2->14         started        16 cmd.exe 2->16         started        18 7 other processes 2->18 process3 dnsIp4 82 116.203.166.240, 27015, 49709 HETZNER-ASDE Germany 9->82 84 t.me 149.154.167.99, 443, 49708 TELEGRAMRU United Kingdom 9->84 86 2 other IPs or domains 9->86 66 C:\Users\user\AppData\Local\...\soft[1].exe, PE32+ 9->66 dropped 68 C:\Users\user\AppData\Local\...\XMU[1].exe, PE32+ 9->68 dropped 70 C:\ProgramData\60043587792355008103.exe, PE32+ 9->70 dropped 76 2 other malicious files 9->76 dropped 120 Detected unpacking (changes PE section rights) 9->120 122 Detected unpacking (overwrites its own PE header) 9->122 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->124 132 4 other signatures 9->132 20 42543956109205607560.exe 4 9->20         started        25 15942168098849803906.exe 3 9->25         started        27 60043587792355008103.exe 9->27         started        29 cmd.exe 9->29         started        72 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 14->72 dropped 74 C:\Users\user\AppData\...\uhlwpibxvsms.tmp, PE32+ 14->74 dropped 126 Multi AV Scanner detection for dropped file 14->126 128 Suspicious powershell command line found 14->128 130 Injects code into the Windows Explorer (explorer.exe) 14->130 134 5 other signatures 14->134 31 explorer.exe 14->31         started        33 conhost.exe 14->33         started        37 2 other processes 16->37 35 conhost.exe 18->35         started        39 3 other processes 18->39 file5 signatures6 process7 dnsIp8 78 192.168.2.1 unknown unknown 20->78 62 C:\ProgramData\Win64\U.exe, MS-DOS 20->62 dropped 104 Multi AV Scanner detection for dropped file 20->104 106 Detected unpacking (changes PE section rights) 20->106 108 Query firmware table information (likely to detect VMs) 20->108 118 2 other signatures 20->118 41 cmd.exe 1 20->41         started        64 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 25->64 dropped 110 Suspicious powershell command line found 25->110 112 Tries to harvest and steal browser information (history, passwords, etc) 27->112 43 cmd.exe 27->43         started        45 conhost.exe 29->45         started        47 timeout.exe 29->47         started        80 cloudproxy.hs-bin.com 217.29.58.241 OKBPROGRESSMoscowRussiaRU Russian Federation 31->80 114 System process connects to network (likely due to code injection or exploit) 31->114 116 Tries to evade debugger and weak emulator (self modifying code) 31->116 file9 signatures10 process11 process12 49 U.exe 2 41->49         started        52 conhost.exe 41->52         started        54 timeout.exe 1 41->54         started        56 conhost.exe 43->56         started        58 choice.exe 43->58         started        signatures13 88 Multi AV Scanner detection for dropped file 49->88 90 Detected unpacking (changes PE section rights) 49->90 92 Query firmware table information (likely to detect VMs) 49->92 94 3 other signatures 49->94 60 WerFault.exe 49->60         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 23:17:35 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4hnw7zfxb3hoowcggdabyfespw4w3vduarvvgykgfa76yshyt4q._file
Verdict:
malicious
Similar samples:
621073c2fd07300a3d202b5801f3c17869f0aa73718033492ac986aafd9a897a
CoinMiner
84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c
CoinMiner
b6c5fe3a7a81997d6c6c8dc7763ddbf9c2eb2519c8a6e68da4c38bb075f20879
CoinMiner
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:ef53b6b1b2b41bb26f156380d493f1dd spyware stealer
Link:
https://tria.ge/reports/230811-ga5vhsdb21/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
fac0cdf541ca6be5012e0512d7cb053f3db9730fe4e99f9e1f5999f4d92f5d17
MD5 hash:
2c43c52207ac0cb6d6354640fe0b5b21
SHA1 hash:
3e70ed305f76cb12ab72fa1e1b4ecb0643da93bd
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/d080edb8-6216-49a2-8bd0-749e89d727f7/
SH256 hash:
0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
MD5 hash:
902b8b84ab8e77279f06d1fa4bb769a3
SHA1 hash:
c83a9e70b4649f3173b4df918a48e20a98b9cf3e
Link:
https://www.unpac.me/results/d080edb8-6216-49a2-8bd0-749e89d727f7/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f0edb7f25b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Telegram_Links
Create hunting rule
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2703797/
Cape
Cape
https://www.capesandbox.com/analysis/442070/

Comments


Avatar
zbet commented on 2023-08-11 05:36:33 UTC

url : hxxp://193.233.255.9/lend/build32.exe