MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217
SHA3-384 hash: 5890578c35de23d0cdf5951b0ffb99159728fe805ed4d1d21c4a2f5876ee6753f89a106af5473636fda0f9dcc1e6f0d8
SHA1 hash: 4362adf9ab072b3f885070f8a9895f74a08b20a5
MD5 hash: 5462d8767b051ba3fc66f78d9ded9f41
humanhash: cup-arkansas-bulldog-music
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:163'328 bytes
First seen:2023-11-06 19:06:49 UTC
Last seen:2023-11-06 20:17:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:dUrszfHnZdgtXhXQy0Ea/f3aXZhagifm7o8HQ6:Iszxd+AyhanKnag4m7o8H
TLSH T1A8F3F144E2F91349D2C69B3A4FA0A3E0837171036A17D76ECDC8E0987D5E7E789C4967
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://194.49.94.67/files/Ads.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.31650.26354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the process to interact with network services
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65493959641154c7e3ec343b/reports/58beba62-98af-40c8-9246-59a033cc6749/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1302f4d6-3cbb-48b0-aecd-27f4cf99fe5d
Result
Threat name:
Glupteba, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337873
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337873 Sample: file.exe Startdate: 06/11/2023 Architecture: WINDOWS Score: 100 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 Antivirus detection for URL or domain 2->161 163 18 other signatures 2->163 10 file.exe 2 4 2->10         started        13 svchost.exe 1 1 2->13         started        16 powershell.exe 2->16         started        process3 dnsIp4 169 Adds a directory exclusion to Windows Defender 10->169 171 Disables UAC (registry) 10->171 18 CasPol.exe 15 443 10->18         started        23 powershell.exe 23 10->23         started        143 23.60.72.63 AKAMAI-ASUS United States 13->143 145 127.0.0.1 unknown unknown 13->145 25 conhost.exe 16->25         started        signatures5 process6 dnsIp7 123 107.167.110.211 OPERASOFTWAREUS United States 18->123 125 194.49.94.67 EQUEST-ASNL unknown 18->125 127 13 other IPs or domains 18->127 75 C:\Users\...\znVBzndDRZI2LZuOYpxuCByS.exe, PE32 18->75 dropped 77 C:\Users\...\z7LRbtDsOKGyuawIFeZ402im.exe, PE32 18->77 dropped 79 C:\Users\...\y5IdtedeAbHPy4kAzHQvQx4I.exe, PE32 18->79 dropped 81 255 other malicious files 18->81 dropped 165 Drops script or batch files to the startup folder 18->165 167 Creates HTML files with .exe extension (expired dropper behavior) 18->167 27 RlVxEOro3oIjb1g3dlvSGNdp.exe 18->27         started        31 dl5N0CSv54nh95kvPngOSrBH.exe 18->31         started        34 NNBnfdlMcYf4n6xmy99EE2D3.exe 18->34         started        38 16 other processes 18->38 36 conhost.exe 23->36         started        file8 signatures9 process10 dnsIp11 129 107.167.110.218 OPERASOFTWAREUS United States 27->129 131 107.167.125.189 OPERASOFTWAREUS United States 27->131 141 5 other IPs or domains 27->141 105 Opera_installer_2311061907590647608.dll, PE32 27->105 dropped 107 C:\Users\user\AppData\Local\...\opera_package, PE32 27->107 dropped 117 4 other malicious files 27->117 dropped 40 RlVxEOro3oIjb1g3dlvSGNdp.exe 27->40         started        43 RlVxEOro3oIjb1g3dlvSGNdp.exe 27->43         started        45 RlVxEOro3oIjb1g3dlvSGNdp.exe 27->45         started        133 5.182.38.138 VMAGE-ASRU Russian Federation 31->133 135 149.154.167.99 TELEGRAMRU United Kingdom 31->135 137 195.201.34.151 HETZNER-ASDE Germany 31->137 119 6 other files (4 malicious) 31->119 dropped 179 Detected unpacking (changes PE section rights) 31->179 181 Detected unpacking (overwrites its own PE header) 31->181 183 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->183 193 3 other signatures 31->193 139 172.67.222.167 CLOUDFLARENETUS United States 34->139 109 C:\Users\user\AppData\Roaming\...\IfumU2.exe, PE32 34->109 dropped 47 IfumU2.exe 34->47         started        111 C:\Users\user\AppData\Local\...\is-TLKNQ.tmp, PE32 38->111 dropped 113 C:\Users\user\AppData\Local\...\is-9VS13.tmp, PE32 38->113 dropped 115 C:\Users\user\AppData\Local\...\is-DKQ49.tmp, PE32 38->115 dropped 121 7 other malicious files 38->121 dropped 185 Found Tor onion address 38->185 187 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->187 189 Modifies the hosts file 38->189 191 Adds a directory exclusion to Windows Defender 38->191 50 is-TLKNQ.tmp 38->50         started        52 is-DKQ49.tmp 38->52         started        54 BNIautCJGGc0Xx757xegM9mz.exe 38->54         started        56 3 other processes 38->56 file12 signatures13 process14 file15 95 20 other malicious files 40->95 dropped 58 RlVxEOro3oIjb1g3dlvSGNdp.exe 40->58         started        83 Opera_installer_2311061907597977668.dll, PE32 43->83 dropped 85 Opera_installer_2311061908007937796.dll, PE32 45->85 dropped 195 Writes to foreign memory regions 47->195 197 Allocates memory in foreign processes 47->197 199 Injects a PE file into a foreign processes 47->199 61 AppLaunch.exe 47->61         started        97 27 other files (4 malicious) 50->97 dropped 65 VResource.exe 50->65         started        67 net.exe 50->67         started        69 VResource.exe 50->69         started        87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->87 dropped 89 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 52->89 dropped 99 23 other files (1 malicious) 52->99 dropped 91 Opera_installer_2311061908100337908.dll, PE32 54->91 dropped 93 Opera_installer_2311061908114367436.dll, PE32 56->93 dropped signatures16 process17 dnsIp18 101 Opera_installer_2311061908029198044.dll, PE32 58->101 dropped 147 185.183.35.128 WORLDSTREAMNL Netherlands 61->147 149 104.26.12.31 CLOUDFLARENETUS United States 61->149 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->173 175 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->175 177 Tries to harvest and steal browser information (history, passwords, etc) 61->177 103 C:\ProgramData\...\VideoSelector.exe, PE32 65->103 dropped 71 conhost.exe 67->71         started        73 net1.exe 67->73         started        151 217.23.6.51 WORLDSTREAMNL Netherlands 69->151 153 217.23.9.168 WORLDSTREAMNL Netherlands 69->153 155 4 other IPs or domains 69->155 file19 signatures20 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-06 19:07:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eohsw75mir7eandcy6wjfusjhucr3cyen5m3gckesdpe5lpkqilq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:vidar family:xmrig botnet:8036442451e00fa27a235c4a80cbfb3c discovery dropper evasion loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231106-xsl35adc8z/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199566884947
https://t.me/octobrains
Unpacked files
SH256 hash:
9f0595233b5eacb68d34b3ea528a37036f384df9d6cf0fe0989c0f1781c5a7a2
MD5 hash:
b07f4d6cc6c892c968f1bfb2b5138d69
SHA1 hash:
7adf3a0e4a12a63fa1e88e0f6b17ea684e04808a
Link:
https://www.unpac.me/results/ba1eee4a-eda7-4c2b-97f1-8d1dc6df6496/
SH256 hash:
238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217
MD5 hash:
5462d8767b051ba3fc66f78d9ded9f41
SHA1 hash:
4362adf9ab072b3f885070f8a9895f74a08b20a5
Link:
https://www.unpac.me/results/ba1eee4a-eda7-4c2b-97f1-8d1dc6df6496/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/238f2b7fac44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/238f2b7fac447e403462c7ac92d2493d051d8b046f59b3094490de4eadea8217

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2728645/

Comments