MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
SHA3-384 hash: e895e75e8d7f5a41d2a1410821f6d24307ace63009083aadf663af7c2a144b2f53d0de120e234b8e7733f80a58fe4d90
SHA1 hash: 414842ce90f8968f397a731e447a4559155f4e6a
MD5 hash: 4ba8a6af59b167aa45b1c9aae4a8f682
humanhash: moon-steak-spring-july
File name:ProtonVPNcrack.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'558'770 bytes
First seen:2021-12-05 20:49:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:qeclZZigEom5TmcP11Ts5Sp1sUHKB3zf1WkSJYVjiQYEyMZZsK:7zam5Xtdskp1gumRvZZsK
Threatray 178 similar samples on MalwareBazaar
TLSH T1BBB63312789701BEDD731A79212BA271873835300FA85A7FE7F08DDC5E3A5C0AA65793
File icon (PE):PE icon
dhash icon 35c2c46c6ba6a459 (1 x CoinMiner, 1 x RedLineStealer)
Reporter JaffaCakes118
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ProtonVPNcrack.exe
Verdict:
Malicious activity
Analysis date:
2021-12-05 20:49:12 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/47c0fb45-89dd-44ef-9ae7-faaaf4f4b68c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211517/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/951/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61ad25ff4d8e6f3a5e12bae4/reports/d0b0b0e9-e6c0-4bc1-ae59-3eb26f2ea110/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/711992c3-bebf-4040-abdb-a5e571fdd206
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 20:50:35 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=goyyvbogwsnpn5icllnh3m4x7liqw3q5bqs5tc42yvl4gaskflca._file
Verdict:
suspicious
Similar samples:
021aed248cfbe2b30f4ab53d7ec95ab8ce1a176d5d92d8c7cd03a39590683574
CoinMiner
7ee9fb0abc60de5047fb5e85cafc5a05383978bb1653a8ae824437488238d611
CoinMiner
89ccef77d5908319e35ae3824b760f10dc8780e01f9ad4dac0e42ea9af498af1
CoinMiner
8d59b88d0b88becf9f74354310db278563eb469ecf535146dc0a1f2c0d79de53
CoinMiner
8ec387e2f939562019e489bedf349bb3807713a0168021ec2505aa7d392b04d4
CoinMiner
c18cf6f2677277c4885ccb069d4e65b8c97c96c0ea72cee5d8e6a2d018d74ed0
CoinMiner
d85729ff4ca88aa327cddaa027645f17a18bdce1ac9fa6555766e009c80897a6
CoinMiner
+ 168 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery evasion infostealer miner spyware stealer trojan
Link:
https://tria.ge/reports/211205-zmkzzschcq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/f08493a6-70bc-41f5-90bd-adb85cc965b0/
SH256 hash:
33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
MD5 hash:
4ba8a6af59b167aa45b1c9aae4a8f682
SHA1 hash:
414842ce90f8968f397a731e447a4559155f4e6a
Link:
https://www.unpac.me/results/f08493a6-70bc-41f5-90bd-adb85cc965b0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/33b18a85c6b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211517/

Comments