MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
SHA3-384 hash: 497fbeabea56eeb144e8c949dce9fc6ed9c065c2b79ed32510685b4cebc0ab69c373f3e1f31873083e7dc350af86d933
SHA1 hash: af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
MD5 hash: bfa1eae4dbb897d44aed1a349d7b66eb
humanhash: purple-hot-ink-potato
File name:bfa1eae4dbb897d44aed1a349d7b66eb.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:320'000 bytes
First seen:2021-08-12 13:53:08 UTC
Last seen:2021-08-12 15:19:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 368e97c3444afc7b37df6998ab5d491d (3 x CoinMiner, 3 x KPOTStealer, 2 x Glupteba)
ssdeep 6144:4ZtihjxAr9wzI73e6csrftvw5ePm/hx8BsyR8lDN6Do:MihjCKzI73eMrftv1PG4D2lDNp
Threatray 3'039 similar samples on MalwareBazaar
TLSH T165648D30BB90C035E6B611FC45BAA37CAA2D3E605B7450CF52E52AEE46346E4EC31797
dhash icon 68e8e8e8aa66a499 (33 x RaccoonStealer, 14 x ArkeiStealer, 11 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfa1eae4dbb897d44aed1a349d7b66eb.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-12 13:54:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4cc45f4c-6e5f-4163-bd6b-503669f1bc8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178759/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.21353.20904.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Launching a process
DNS request
Connection attempt
Reading critical registry keys
Sending a custom TCP request
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/670424d8-5369-4bd6-a955-82c547f0bb9f
Result
Threat name:
Raccoon SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831815
Signature
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464251 Sample: 5ih4ps3V69.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 56 www.stephaniecapparell.com 2->56 58 195.201.225.248 HETZNER-ASDE Germany 2->58 60 736 other IPs or domains 2->60 80 Multi AV Scanner detection for domain / URL 2->80 82 Sigma detected: Powershell download and execute file 2->82 84 Multi AV Scanner detection for submitted file 2->84 88 12 other signatures 2->88 10 5ih4ps3V69.exe 2->10         started        13 wcjshuf 2->13         started        signatures3 86 System process connects to network (likely due to code injection or exploit) 56->86 process4 signatures5 106 Detected unpacking (changes PE section rights) 10->106 15 5ih4ps3V69.exe 10->15         started        108 Machine Learning detection for dropped file 13->108 110 Contains functionality to inject code into remote processes 13->110 112 Injects a PE file into a foreign processes 13->112 18 wcjshuf 13->18         started        process6 signatures7 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->120 122 Maps a DLL or memory area into another process 15->122 124 Checks if the current machine is a virtual machine (disk enumeration) 15->124 20 explorer.exe 17 15->20 injected 126 Creates a thread in another existing process (thread injection) 18->126 process8 dnsIp9 62 91.241.19.52, 49772, 80 REDBYTES-ASRU Russian Federation 20->62 64 5.44.45.5, 49771, 80 MGNHOST-ASRU Russian Federation 20->64 66 2 other IPs or domains 20->66 42 C:\Users\user\AppData\Roaming\wcjshuf, PE32 20->42 dropped 44 C:\Users\user\AppData\Local\Temp86.exe, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\Temp\83B.exe, PE32 20->46 dropped 48 6 other malicious files 20->48 dropped 98 System process connects to network (likely due to code injection or exploit) 20->98 100 Benign windows process drops PE files 20->100 102 Performs DNS queries to domains with low reputation 20->102 104 4 other signatures 20->104 25 E86.exe 2 20->25         started        29 19A3.exe 2 20->29         started        32 1230.exe 3 6 20->32         started        34 2 other processes 20->34 file10 signatures11 process12 dnsIp13 50 C:\ProgramData\Runtimebroker.exe, PE32 25->50 dropped 114 Detected unpacking (overwrites its own PE header) 25->114 116 Machine Learning detection for dropped file 25->116 36 Runtimebroker.exe 16 25->36         started        74 205.144.171.45 ST-BGPUS United States 29->74 76 217.70.180.133 GANDI-ASDomainnameregistrar-httpwwwgandinetFR France 29->76 78 52 other IPs or domains 29->78 52 C:\Users\user\AppData\Local\...\19A3.exe.pid, ASCII 29->52 dropped 118 Multi AV Scanner detection for dropped file 29->118 54 reviewbrokercrtCommonsessionperfDll.exe, PE32 32->54 dropped 40 wscript.exe 1 32->40         started        file14 signatures15 process16 dnsIp17 68 193.56.146.55 LVLT-10753US unknown 36->68 70 x1.i.lencr.org 36->70 72 www.rockonwest.best 36->72 90 Suspicious powershell command line found 36->90 92 Obfuscated command line found 36->92 94 Machine Learning detection for dropped file 36->94 96 Tries to download and execute files (via powershell) 36->96 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 13:54:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cibjspqczl6dpdfk5jeu3f2vkrl7oi3jw24u7t6qeavezppyvhea._file
Verdict:
suspicious
Similar samples:
028fe7d08ab916d5239ccd8bcfdcd885ddffdf3821abc01958490daeba45dbec
CoinMiner
0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d
CoinMiner
4e0bade1447e3fde60d9f70dc930b665cc6aaf58c5e7ddc895d56ae71863a6ca
CoinMiner
630d1743c5856d0bd5aeab5fea4f818645bbfa902b5131d88b8cfe7118e793b7
CoinMiner
7a271f6c34a12ada4d25503316bfdd9f8806acc6619af04427f509f173d49132
CoinMiner
be08ab1ce25fee08933f9538121460516ae66f5cd881dd06613c0d7c8882e7e0
CoinMiner
bf71696e66a738fd23ce41e05b796f8374be7c73dcad393a8933fbbdde7b978d
CoinMiner
dccd748e32bd9b70312bdb252a8331f6510f8036d14161a537bffadb7cba1402
CoinMiner
+ 3'029 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:raccoon family:smokeloader family:xmrig botnet:471c70de3b4f9e4d493e418d1f60a90659057de0 botnet:cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer miner persistence phishing rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210812-ayyx9f1bz2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
DCRat Payload
XMRig Miner Payload
DcRat
Detected phishing page
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
SmokeLoader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Dropper Extraction:
https://www.rockonwest.best/Api/GetFile2
Unpacked files
SH256 hash:
8b085611ecc9d6df0bc54d8421e57eb82f70c2c085e488ccfb41b4d26560bc57
MD5 hash:
3dff4690ed57aba1cd05faf0e7d2ec18
SHA1 hash:
feda1fc6459b5391f3a56da56d9da8089944df5b
Link:
https://www.unpac.me/results/14eb4863-90d2-47e3-bbe1-a80535d99d6f/
SH256 hash:
1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
MD5 hash:
bfa1eae4dbb897d44aed1a349d7b66eb
SHA1 hash:
af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
Link:
https://www.unpac.me/results/14eb4863-90d2-47e3-bbe1-a80535d99d6f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1202993e02ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178759/

Comments