MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
SHA3-384 hash: 35f30e53e34bb2f25499e9b88e2e894e68b0c2a9fd1f7879f5fa0ace9a5e877523439623a651face9cf1c5ea02e89dc3
SHA1 hash: 5929cda67aee22ecb44c00d3334d25b7d27ae6a5
MD5 hash: 0a48fdb4519cfd9d0e03a5ed1c2333c6
humanhash: high-blossom-mobile-shade
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'071'104 bytes
First seen:2024-07-26 20:07:58 UTC
Last seen:2024-07-26 20:25:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:7Zylsdd2JYkHarbgE1FoBUb8jQaqBDlhbvC4y9iGaITD:iOjmarh1GBCZDlhbvCkGaIX
Threatray 3'727 similar samples on MalwareBazaar
TLSH T16F35F105972DAB27E3AE6374D249A818DBF08317374FE71D7DE598A81806F20970D2B7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter Bitsight
Tags:CoinMiner exe


Avatar
Bitsight
url: http://mktrex155.xyz/ldx111.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
383
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
Verdict:
Malicious activity
Analysis date:
2024-07-26 20:37:23 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/b2ac86d8-2c66-47da-bd2d-85e8537924e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2991.1648.4607.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a4023dde3a92a81b2bb7c7
Tags:
Execution Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66a402248f66298c01f3e878/reports/f72da247-0340-43d8-b9f5-7377160d056e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b628c9d-0432-4503-8878-f848d6b9da04
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483242
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483242 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 105 serverlogs275.xyz 2->105 107 mktrex155.xyz 2->107 109 2 other IPs or domains 2->109 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 Yara detected AntiVM3 2->141 145 7 other signatures 2->145 13 file.exe 5 2->13         started        16 furtivg 5 2->16         started        signatures3 143 Performs DNS queries to domains with low reputation 107->143 process4 signatures5 167 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->167 169 Switches to a custom stack to bypass stack traces 13->169 18 file.exe 13->18         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        171 Machine Learning detection for dropped file 16->171 25 furtivg 16->25         started        27 cmd.exe 1 16->27         started        29 cmd.exe 16->29         started        process6 signatures7 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->127 129 Maps a DLL or memory area into another process 18->129 31 explorer.exe 56 10 18->31 injected 131 Drops PE files with a suspicious file extension 21->131 36 conhost.exe 21->36         started        38 timeout.exe 1 21->38         started        40 conhost.exe 23->40         started        42 timeout.exe 1 23->42         started        133 Checks if the current machine is a virtual machine (disk enumeration) 25->133 135 Creates a thread in another existing process (thread injection) 25->135 44 conhost.exe 27->44         started        46 timeout.exe 1 27->46         started        48 conhost.exe 29->48         started        50 timeout.exe 29->50         started        process8 dnsIp9 111 mktrex155.xyz 5.182.207.10, 63132, 80 SERVERFIELD-ASServerfieldCoLtdTW Germany 31->111 113 serverlogs275.xyz 5.101.179.26, 63131, 63134, 63135 PAGM-ASEE Estonia 31->113 115 51.77.140.74, 63133, 80 OVHFR France 31->115 95 C:\Users\user\AppData\Roaming\furtivg, PE32 31->95 dropped 97 C:\Users\user\AppData\Local\Temp\35C3.exe, PE32 31->97 dropped 99 C:\Users\user\AppData\Local\Temp\2B71.exe, PE32 31->99 dropped 101 2 other malicious files 31->101 dropped 117 System process connects to network (likely due to code injection or exploit) 31->117 119 Benign windows process drops PE files 31->119 121 Injects code into the Windows Explorer (explorer.exe) 31->121 123 3 other signatures 31->123 52 explorer.exe 31->52         started        55 35C3.exe 31->55         started        57 212F.exe 5 31->57         started        59 12 other processes 31->59 file10 signatures11 process12 signatures13 147 System process connects to network (likely due to code injection or exploit) 52->147 149 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->149 151 Tries to steal Mail credentials (via file / registry access) 52->151 163 2 other signatures 52->163 153 Machine Learning detection for dropped file 55->153 155 Found stalling execution ending in API Sleep call 55->155 61 cmd.exe 55->61         started        157 Writes to foreign memory regions 57->157 159 Injects a PE file into a foreign processes 57->159 64 cmd.exe 57->64         started        66 cmd.exe 57->66         started        161 Tries to harvest and steal browser information (history, passwords, etc) 59->161 68 cmd.exe 59->68         started        70 cmd.exe 59->70         started        process14 file15 103 C:\Users\user\AppData\Local\...\Surrey.pif, PE32 61->103 dropped 72 Surrey.pif 61->72         started        75 conhost.exe 61->75         started        85 8 other processes 61->85 77 conhost.exe 64->77         started        79 timeout.exe 64->79         started        87 2 other processes 66->87 81 conhost.exe 68->81         started        83 timeout.exe 68->83         started        89 2 other processes 70->89 process16 signatures17 165 Found API chain indicative of sandbox detection 72->165 91 cmd.exe 72->91         started        process18 process19 93 conhost.exe 91->93         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-07-26 20:08:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f245fjt2vf3bxglpsmvp7uw6vmbriw2wxfwlt6oo5p577spim2ra._file
Verdict:
malicious
Similar samples:
02eb002f33af51183396e8406bc7518c01c4b2f3b326d227fef6bc7e3c8fd1a6
CoinMiner
0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68
CoinMiner
17111294591d1735f172f1ca46deb487ad11e88f1081812a563312c1d74e5174
CoinMiner
1ab2666172b3ad1123fafce0a407cf1b1cff9f32ef124d431bfa69e921219e38
CoinMiner
404afd3c18b203aa9ce9f8f5f9b7a813fda0d2a322252cd28e002e142080a4f7
CoinMiner
d15c9442e73cf3d19521b0ff931fb2c8a557bd00441ee4e8d816d91273ea2ec7
CoinMiner
d5cf0b3376ab6526ef33bba7808886123b6ea6ca412b9973c0e5b5a6538f3379
CoinMiner
deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
CoinMiner
f518307808486c2718cd6b83e4e5f012e3531c8d352abd6d51b7311fcfa2c28c
CoinMiner
+ 3'717 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:purelogstealer family:smokeloader backdoor discovery stealer trojan
Link:
https://tria.ge/reports/240726-ywjmvavekf/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
PureLog Stealer
PureLog Stealer payload
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/140b198a-e439-42eb-9434-65de92a0570e
Unpacked files
SH256 hash:
d5d58c90dcff1771cc8d9a32654fa654e939b8e9a12d4807d754c5906003c3bf
MD5 hash:
2c314e005524e0f4bf60ae0f9f9c23fb
SHA1 hash:
f306dbf04712b50a54ff3fc3244b5e4c45d83cd4
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
SH256 hash:
b83d47211d27a7c6f0e5a0e5bc43f5fc9f27578ebfa3ce95b00736aa9e9749c7
MD5 hash:
74ea17cefc30cdc60fa4bd84adcb2031
SHA1 hash:
d90940768873b5365ad26ece4b5a8dd74a4e73be
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
Parent samples :
7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
87f3eab16a49cdb0bdfe1906ad5e0989a057a3b253f2622dff125986f813aede
SH256 hash:
edcbc3c3b0be4074a419fc8ae8158ebbd38a7cfe549be0fb3abbd9033b4b400a
MD5 hash:
c83988085f6908b78842966ad183f9d1
SHA1 hash:
491d74ec8bdfbe45a34a7511ca4f496f4ca39b4b
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
SH256 hash:
2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
MD5 hash:
0a48fdb4519cfd9d0e03a5ed1c2333c6
SHA1 hash:
5929cda67aee22ecb44c00d3334d25b7d27ae6a5
Link:
https://www.unpac.me/results/5871e95e-eb7d-41e8-aad3-f78af2892353/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2eb9d2a67aa9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3072059/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments