MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
SHA3-384 hash: 428c67a437a62f93a2707ab9aa00b3b2075173dde62da0b66e74b22b98059240a1c63871ab946220fd214f6e815c6a37
SHA1 hash: f0a9bc691ab41c90c9ff71c8a5013ef47f33008c
MD5 hash: c11c4c79d0d6f8ed80996c5fe9f73d91
humanhash: wisconsin-kitten-cup-three
File name:GenshinX.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'887'744 bytes
First seen:2021-11-09 14:28:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 49152:EMH4G/V6NCh4P4cPhk2xwkF4QbFTaYWNa6nhx2:EowNBP4qNx7PBTVKV6
Threatray 199 similar samples on MalwareBazaar
TLSH T14295336BE1209C64C16F0AB6110E974B9F38362686F881512F7F8BC3D4DC8CD5BA66DD
Reporter tech_skeech
Tags:CoinMiner exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204515/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/618a85b0dec3347825a07760/reports/79d0b688-b82a-48ad-9ba8-40da26a62f7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8f4ff1d-c05b-45cf-8936-ca780a67cfcd
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886068
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518550 Sample: GenshinX.exe Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 101 Found malware configuration 2->101 103 Sigma detected: Powershell download and execute file 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 8 other signatures 2->107 14 GenshinX.exe 2->14         started        17 services32.exe 2->17         started        process3 signatures4 141 Query firmware table information (likely to detect VMs) 14->141 143 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->143 145 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 14->145 155 2 other signatures 14->155 19 AppLaunch.exe 15 7 14->19         started        24 WerFault.exe 23 9 14->24         started        147 Multi AV Scanner detection for dropped file 17->147 149 Writes to foreign memory regions 17->149 151 Allocates memory in foreign processes 17->151 153 Creates a thread in another existing process (thread injection) 17->153 26 conhost.exe 17->26         started        process5 dnsIp6 81 project114.ru 46.30.40.107, 49750, 49787, 80 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 19->81 83 23.88.11.67, 49745, 54321 ENZUINC-US United States 19->83 71 C:\Users\user\AppData\Local\...\avira_en.exe, PE32 19->71 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->109 111 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->111 113 Tries to harvest and steal browser information (history, passwords, etc) 19->113 115 Tries to steal Crypto Currency Wallets 19->115 28 avira_en.exe 19->28         started        73 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->73 dropped 75 C:\Windows\System32\...\sihost32.exe, PE32+ 26->75 dropped 117 Drops executables to the windows directory (C:\Windows) and starts them 26->117 31 sihost32.exe 26->31         started        file7 signatures8 process9 signatures10 123 Multi AV Scanner detection for dropped file 28->123 125 Adds a directory exclusion to Windows Defender 28->125 33 cmd.exe 1 28->33         started        127 Writes to foreign memory regions 31->127 129 Allocates memory in foreign processes 31->129 131 Creates a thread in another existing process (thread injection) 31->131 36 conhost.exe 31->36         started        process11 signatures12 87 Suspicious powershell command line found 33->87 89 Tries to download and execute files (via powershell) 33->89 91 Adds a directory exclusion to Windows Defender 33->91 38 powershell.exe 33->38         started        40 powershell.exe 33->40         started        44 powershell.exe 25 33->44         started        47 2 other processes 33->47 process13 dnsIp14 49 Radmin_VPN_1.1.4393.14.exe 38->49         started        85 project337.com 40->85 79 C:\Users\user\...\Radmin_VPN_1.1.4393.14.exe, PE32+ 40->79 dropped 133 Powershell drops PE file 44->133 file15 signatures16 process17 signatures18 93 Multi AV Scanner detection for dropped file 49->93 95 Writes to foreign memory regions 49->95 97 Allocates memory in foreign processes 49->97 99 Creates a thread in another existing process (thread injection) 49->99 52 conhost.exe 49->52         started        process19 file20 77 C:\Windows\System32\services32.exe, PE32+ 52->77 dropped 55 cmd.exe 52->55         started        58 cmd.exe 52->58         started        process21 signatures22 119 Drops executables to the windows directory (C:\Windows) and starts them 55->119 60 services32.exe 55->60         started        63 conhost.exe 55->63         started        121 Uses schtasks.exe or at.exe to add and modify task schedules 58->121 65 conhost.exe 58->65         started        67 schtasks.exe 58->67         started        process23 signatures24 135 Writes to foreign memory regions 60->135 137 Allocates memory in foreign processes 60->137 139 Creates a thread in another existing process (thread injection) 60->139 69 conhost.exe 60->69         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-11-09 14:29:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner
+ 189 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer spyware trojan
Link:
https://tria.ge/reports/211109-rtkc2afdd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.88.11.67:54321
Dropper Extraction:
http://project337.com/Radmin_VPN_1.1.4393.14.exe
Unpacked files
SH256 hash:
84d999f01a5e98e82aebc2a734cc83f73bd4504a891898072bd092871a1f5d67
MD5 hash:
74038c892ddf5ef0aa8a106028681fe2
SHA1 hash:
bac3115034f8271e3dfc33b60f120503d436696a
Link:
https://www.unpac.me/results/ff3698d7-a290-443f-947c-2c4c8b2a759e/
SH256 hash:
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
MD5 hash:
c11c4c79d0d6f8ed80996c5fe9f73d91
SHA1 hash:
f0a9bc691ab41c90c9ff71c8a5013ef47f33008c
Link:
https://www.unpac.me/results/ff3698d7-a290-443f-947c-2c4c8b2a759e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/191018b2c61b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204515/

Comments