MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3
SHA3-384 hash: 5940f25dcb59b135d61f04529ddfd7115900c8ae66c5d6633494e3d39ce73c96aed0fcfe1edcd27219113c3c6ae87c22
SHA1 hash: 3546e2d0d5732538a0bb565d410f5ca1de9c3416
MD5 hash: 28351e9cfaca470a9f99b2455b3f1354
humanhash: social-tango-quebec-fruit
File name:28351e9cfaca470a9f99b2455b3f1354.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:137'728 bytes
First seen:2021-09-26 23:35:53 UTC
Last seen:2021-09-27 01:06:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d219b4c81d3038e0b353f2c453352508 (12 x RaccoonStealer, 4 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 3072:/Jyb2pQ2WInoPtGliBMCtf5HJHTfN0B0O:/JvpQ2WInqtBbJHTfN0iO
Threatray 5'080 similar samples on MalwareBazaar
TLSH T141D3BE3D7680C432D99A56724869C6AC563A7C227E71DE833B48335F0F722D29637397
File icon (PE):PE icon
dhash icon fcfcd4f4d4d4d8c0 (23 x RedLineStealer, 21 x RaccoonStealer, 6 x Smoke Loader)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://194.180.174.100/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.100/ https://threatfox.abuse.ch/ioc/226740/
138.124.186.2:27999 https://threatfox.abuse.ch/ioc/226741/
45.156.21.209:56326 https://threatfox.abuse.ch/ioc/226786/
45.147.197.123:31820 https://threatfox.abuse.ch/ioc/226898/

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
28351e9cfaca470a9f99b2455b3f1354.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-26 23:37:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/019673c3-e086-4ac8-ae79-fdd011724a7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191860/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.24891.27326.586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7da7f8d2-3bbb-460a-86eb-5a3df3cd3699
Result
Threat name:
Clipboard Hijacker Raccoon RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858559
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490990 Sample: 9uHCz7MrjF.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 79 twitter.com 2->79 81 google.com 2->81 83 3 other IPs or domains 2->83 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Antivirus detection for URL or domain 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 12 other signatures 2->113 11 9uHCz7MrjF.exe 2->11         started        14 svchost.exe 1 2->14         started        16 eibfegt 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 143 Detected unpacking (changes PE section rights) 11->143 145 Contains functionality to inject code into remote processes 11->145 147 Injects a PE file into a foreign processes 11->147 21 9uHCz7MrjF.exe 11->21         started        24 eibfegt 14->24         started        85 192.168.2.1 unknown unknown 18->85 149 Changes security center settings (notifications, updates, antivirus, firewall) 18->149 151 DLL side loading technique detected 18->151 26 MpCmdRun.exe 1 18->26         started        signatures6 process7 signatures8 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->135 137 Maps a DLL or memory area into another process 21->137 139 Checks if the current machine is a virtual machine (disk enumeration) 21->139 28 explorer.exe 6 21->28 injected 141 Creates a thread in another existing process (thread injection) 24->141 33 conhost.exe 26->33         started        process9 dnsIp10 101 216.128.137.31, 80 AS-CHOOPAUS United States 28->101 103 193.56.146.41, 49866, 9080 LVLT-10753US unknown 28->103 105 12 other IPs or domains 28->105 71 C:\Users\user\AppData\Roaming\eibfegt, PE32 28->71 dropped 73 C:\Users\user\AppData\Local\Temp\2D22.exe, PE32 28->73 dropped 75 C:\Users\user\AppData\Local\Temp\23F9.exe, PE32 28->75 dropped 77 C:\Users\user\...\eibfegt:Zone.Identifier, ASCII 28->77 dropped 153 System process connects to network (likely due to code injection or exploit) 28->153 155 Benign windows process drops PE files 28->155 157 Deletes itself after installation 28->157 159 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->159 35 23F9.exe 28->35         started        38 2D22.exe 15 5 28->38         started        41 AD47.exe 28->41         started        44 6 other processes 28->44 file11 signatures12 process13 dnsIp14 115 Detected unpacking (changes PE section rights) 35->115 117 Injects a PE file into a foreign processes 35->117 46 23F9.exe 35->46         started        87 94.26.228.204, 32917, 49829 PTC-YEMENNETYE Russian Federation 38->87 89 api.ip.sb 38->89 119 Query firmware table information (likely to detect VMs) 38->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->121 123 Hides threads from debuggers 38->123 125 Tries to detect sandboxes / dynamic malware analysis system (registry check) 38->125 49 conhost.exe 38->49         started        91 194.180.174.100, 49853, 49856, 80 MIVOCLOUDMD unknown 41->91 93 t.me 149.154.167.99, 443, 49852 TELEGRAMRU United Kingdom 41->93 95 jqueri-web.at 41->95 61 C:\Users\user\AppData\...\Fd8sblND16.exe, PE32 41->61 dropped 63 C:\Users\user\AppData\...\vcruntime140.dll, PE32 41->63 dropped 65 C:\Users\user\AppData\...\ucrtbase.dll, PE32 41->65 dropped 69 56 other files (none is malicious) 41->69 dropped 127 Detected unpacking (overwrites its own PE header) 41->127 97 176.31.32.199, 49849, 80 OVHFR France 44->97 99 3 other IPs or domains 44->99 67 C:\Users\user\AppData\Local\...\sezwdccq.exe, PE32 44->67 dropped 129 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 44->129 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->131 133 Tries to detect virtualization through RDTSC time measurements 44->133 51 9BB1.exe 44->51         started        53 9BB1.exe 44->53         started        55 9BB1.exe 44->55         started        57 conhost.exe 44->57         started        file15 signatures16 process17 signatures18 161 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->161 163 Maps a DLL or memory area into another process 46->163 165 Checks if the current machine is a virtual machine (disk enumeration) 46->165 167 Creates a thread in another existing process (thread injection) 46->167 59 conhost.exe 51->59         started        process19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 19:00:07 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cg2ggm2ftavm5hlrarsukckblgfs7euj6bbyynmpu6plr2xwqdbq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
110758352eac2b65a35d51aedc9f7d0577934f37dc74c9c72266a81967b9cf88
CoinMiner
2d07d380e31b6e3308b1fba40eed899dd9fce0fbb7d7beca3c708656961b6217
CoinMiner
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
CoinMiner
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db
CoinMiner
770a75002164e25891b3663582594cf2a82867ca3b734cc9b366784a252c7e75
CoinMiner
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
CoinMiner
858a2b253b7e26188cffde5e58dfb08e4a26ef393f962958d6a1615c93f9917e
CoinMiner
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
CoinMiner
f6ede8409878ceb95b88f9cc7064b816568a0be6a933676709152de794173e1a
CoinMiner
f7e22e20cd90f57ce6025dfb5bd05d49963e1915c18abcf16af7503a7215be8b
CoinMiner
+ 5'070 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:chinese_generic_botnet family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:bliss botnet:denis botnet:karma backdoor botnet discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210926-3lkjlsfdap/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Chinese Botnet Payload
XMRig Miner Payload
Generic Chinese Botnet
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
45.147.197.123:31820
185.237.98.178:62607
94.103.9.133:39323
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/299a037e-d989-4dfb-8b71-03e67bf7e5ad/
SH256 hash:
11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3
MD5 hash:
28351e9cfaca470a9f99b2455b3f1354
SHA1 hash:
3546e2d0d5732538a0bb565d410f5ca1de9c3416
Link:
https://www.unpac.me/results/299a037e-d989-4dfb-8b71-03e67bf7e5ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191860/

Comments