MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
SHA3-384 hash: c08fc221df50908de54251af1448e2e2f4dd496c115c8bc4f36ba1e84e91b15433a576d16bf8f4cc64dc66ef35648456
SHA1 hash: 3fe712255190fca61ab575252143e23ee2c00800
MD5 hash: 0fae8a15a0aa82d1d872010e038308ee
humanhash: march-nine-colorado-dakota
File name:0fae8a15a0aa82d1d872010e038308ee.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'678'320 bytes
First seen:2022-07-24 23:40:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1b56a5a4a9e71327b1216e8f025c337 (1 x CoinMiner)
ssdeep 24576:4SwIfugG2BipFzwOmt7jmol7v0rRA+w1m4jj64bF0:lfuje6zwjhjm+42Vq4b
TLSH T1DA75F109E097D068E8D01DB0A692A5BC4963EDFD9F0226D7295DF0438BF46C8DD31DEA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4e2ccd4f0f8cc (1 x CoinMiner, 1 x Smoke Loader, 1 x LgoogLoader)
Reporter abuse_ch
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:www.cuwest.org
Issuer:GeoTrust Global TLS RSA4096 SHA256 2022 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-22T00:00:00Z
Valid to:2023-06-22T23:59:59Z
Serial number: 0b1e5da02e42ab23d617368b00a2acac
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2956418ec2435fa2d233a2699035ee2d3fd5eef2664232f441b76c50fe94f2cf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
CoinMiner C2:
46.175.148.142:32178

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.175.148.142:32178 https://threatfox.abuse.ch/ioc/839392/

Intelligence

File Origin
# of uploads :
1
# of downloads :
549
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Gta 5 Mod Menu.exe
Verdict:
Malicious activity
Analysis date:
2022-07-25 11:31:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/8f237bce-1dd3-4336-be00-aa8162f21dec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293836/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.27006.12005.27326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27292/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62ddd8cf7dd0cb902ff9123f/reports/df37dfd1-c626-4832-bcea-6f811723d854/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3378c101-2d6d-4b7b-bc54-13136d178cc6
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040046
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Drops PE files to the user root directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 672540 Sample: 66Cug1aStg.exe Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 63 xmr-eu1.nanopool.org 2->63 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 13 other signatures 2->77 10 66Cug1aStg.exe 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Injects a PE file into a foreign processes 10->103 20 InstallUtil.exe 15 8 10->20         started        105 Changes security center settings (notifications, updates, antivirus, firewall) 13->105 25 MpCmdRun.exe 1 13->25         started        107 Query firmware table information (likely to detect VMs) 15->107 61 127.0.0.1 unknown unknown 17->61 signatures6 process7 dnsIp8 65 46.175.148.142, 32178, 49761 ASLAGIDKOM-NETUA Ukraine 20->65 67 cdn.discordapp.com 162.159.129.233, 443, 49772, 49774 CLOUDFLARENETUS United States 20->67 51 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\Local\...\Windows.exe, PE32 20->53 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->91 93 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->93 95 Tries to harvest and steal browser information (history, passwords, etc) 20->95 97 Tries to steal Crypto Currency Wallets 20->97 27 WindowsDefender.exe 6 20->27         started        31 Windows.exe 20->31         started        33 conhost.exe 25->33         started        file9 signatures10 process11 file12 55 C:\Users\user\Windows Defender.exe, PE32+ 27->55 dropped 57 C:\Users\user\AppData\Local\svchost.exe, PE32+ 27->57 dropped 109 Antivirus detection for dropped file 27->109 111 Multi AV Scanner detection for dropped file 27->111 113 Machine Learning detection for dropped file 27->113 115 3 other signatures 27->115 35 Windows Defender.exe 27->35         started        38 svchost.exe 27->38         started        41 powershell.exe 27->41         started        43 powershell.exe 27->43         started        59 C:\Program Filesbehaviorgraphoogle\...\launcher.exe, PE32+ 31->59 dropped signatures13 process14 dnsIp15 79 Writes to foreign memory regions 35->79 81 Allocates memory in foreign processes 35->81 83 Creates a thread in another existing process (thread injection) 35->83 45 conhost.exe 35->45         started        69 192.168.2.1 unknown unknown 38->69 85 Antivirus detection for dropped file 38->85 87 Multi AV Scanner detection for dropped file 38->87 89 Machine Learning detection for dropped file 38->89 47 conhost.exe 41->47         started        49 conhost.exe 43->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-07-22 13:02:06 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
25 of 40 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eat6ey7cq4ref6xwlm7gx4sjei6lbg4otmzv6rf7h2e3tfi35h4q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@kukish discovery evasion exploit infostealer spyware stealer upx
Link:
https://tria.ge/reports/220724-3pe4asdeh4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Looks for VMWare drivers on disk
Possible privilege escalation attempt
Stops running service(s)
UPX packed file
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies security service
Malware Config
C2 Extraction:
46.175.148.142:32178
Unpacked files
SH256 hash:
9fe1c61a1f549241908cfd6ce3a9724dddee9803db00407d96129f51b991bb07
MD5 hash:
583199c8ca743ce930004501c3b19dc0
SHA1 hash:
a525615bf2e4040d48d083abe6a2f2ce09a1eee9
Link:
https://www.unpac.me/results/906464f6-4ab7-4cd2-895a-2e64ecf7f991/
SH256 hash:
6c1e6298aa819c00e51057c3bf89cdfdc47f53470bc94577e957c692877e21ba
MD5 hash:
0b4b6e17bd4d06659be004e64a939ee4
SHA1 hash:
7dc81c085e3831016d74abe5367f13b0d46afc7a
Link:
https://www.unpac.me/results/906464f6-4ab7-4cd2-895a-2e64ecf7f991/
SH256 hash:
2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
MD5 hash:
0fae8a15a0aa82d1d872010e038308ee
SHA1 hash:
3fe712255190fca61ab575252143e23ee2c00800
Link:
https://www.unpac.me/results/906464f6-4ab7-4cd2-895a-2e64ecf7f991/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293836/

Comments