MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35c45ea469ba26fe2b6d8dfc626006070a5b27378c060b1c7e38edb94a26490c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35c45ea469ba26fe2b6d8dfc626006070a5b27378c060b1c7e38edb94a26490c
SHA3-384 hash: d4bed84d9befdaee8276a29b55c16801939a956b21cc6ba1d39251f202bf77303f37c8ca92150bc8f973e7a23624c3b1
SHA1 hash: e14935e400d03526d972c5f3948ad718e7155525
MD5 hash: 5bd89f22193f6b9f30286ecff6eed072
humanhash: ack-don-tennis-eight
File name:5bd89f22193f6b9f30286ecff6eed072.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:360'960 bytes
First seen:2022-10-27 03:45:32 UTC
Last seen:2022-10-27 05:08:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 787d271a2df462be9e8efbef70e9c88f (3 x ArkeiStealer, 2 x RedLineStealer, 2 x CoinMiner)
ssdeep 6144:uVg7Y+ceBD+MMkUZhMQN4HqeZnCm0AOAx+32jG4WNC9uFVzj3kSFRdh:u+Y+ceBD+DLhJtZOXtuXkSHdh
Threatray 817 similar samples on MalwareBazaar
TLSH T15874AE10B0958031EC33123649FDD6B99A6CB92387A35FEB5B880F9F4F215D1E639A71
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://95.217.29.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.29.33/ https://threatfox.abuse.ch/ioc/950016/
193.164.16.192:47029 https://threatfox.abuse.ch/ioc/950795/

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
5bd89f22193f6b9f30286ecff6eed072.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 03:46:32 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/31735e7d-a744-4328-af5c-6ac299304e46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324662/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.16984.9219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Stealing user critical data
Launching the process to change the firewall settings
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45837/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec2da811-c19a-4f1c-b4dc-7a0ba8a8e579
Result
Threat name:
Laplas Clipper, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098924
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 731576 Sample: YQ1u1r2mGC.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 102 na.luckpool.net 2->102 104 clipper.guru 2->104 120 Snort IDS alert for network traffic 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 12 other signatures 2->126 11 YQ1u1r2mGC.exe 2->11         started        14 svcupdater.exe 2->14         started        16 chrome.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 174 Contains functionality to inject code into remote processes 11->174 176 Writes to foreign memory regions 11->176 178 Allocates memory in foreign processes 11->178 180 Injects a PE file into a foreign processes 11->180 20 RegSvcs.exe 15 12 11->20         started        182 Multi AV Scanner detection for dropped file 14->182 184 Machine Learning detection for dropped file 14->184 process6 dnsIp7 114 193.164.16.192, 47029, 49696 AT-ASRU Russian Federation 20->114 116 transfer.sh 144.76.136.153, 443, 49699, 49703 HETZNER-ASDE Germany 20->116 118 3 other IPs or domains 20->118 84 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 20->84 dropped 86 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->88 dropped 90 2 other malicious files 20->90 dropped 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->150 152 Tries to harvest and steal browser information (history, passwords, etc) 20->152 154 Tries to steal Crypto Currency Wallets 20->154 25 chrome.exe 1 20->25         started        29 app.exe 1 20->29         started        31 ofg.exe 20->31         started        33 2 other processes 20->33 file8 signatures9 process10 file11 92 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 25->92 dropped 156 Multi AV Scanner detection for dropped file 25->156 158 Detected unpacking (changes PE section rights) 25->158 160 Machine Learning detection for dropped file 25->160 172 3 other signatures 25->172 35 GoogleUpdate.exe 25->35         started        39 powershell.exe 21 25->39         started        50 2 other processes 25->50 162 Writes to foreign memory regions 29->162 164 Allocates memory in foreign processes 29->164 166 Injects a PE file into a foreign processes 29->166 41 vbc.exe 29->41         started        52 3 other processes 29->52 94 C:\Users\user\AppData\...\svcupdater.exe, PE32 31->94 dropped 44 cmd.exe 31->44         started        96 C:\ProgramData\Updater\VCXRYF.exe, PE32+ 33->96 dropped 98 C:\Program Files\fghjk.exe, PE32+ 33->98 dropped 168 Antivirus detection for dropped file 33->168 170 Adds a directory exclusion to Windows Defender 33->170 46 cmd.exe 33->46         started        48 powershell.exe 33->48         started        54 2 other processes 33->54 signatures12 process13 dnsIp14 106 141.95.93.178, 443, 49701, 49704 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 35->106 108 api.peer2profit.com 172.66.43.60, 443, 49700, 49702 CLOUDFLARENETUS United States 35->108 128 Detected unpacking (changes PE section rights) 35->128 130 Detected unpacking (overwrites its own PE header) 35->130 132 Uses netsh to modify the Windows network and firewall settings 35->132 134 Modifies the windows firewall 35->134 56 netsh.exe 35->56         started        62 2 other processes 35->62 58 conhost.exe 39->58         started        110 t.me 149.154.167.99, 443, 49829 TELEGRAMRU United Kingdom 41->110 112 95.217.29.33, 49835, 80 HETZNER-ASDE Germany 41->112 100 C:\ProgramData\sqlite3.dll, PE32 41->100 dropped 136 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->136 138 Tries to harvest and steal browser information (history, passwords, etc) 41->138 140 DLL side loading technique detected 41->140 142 Tries to steal Crypto Currency Wallets 41->142 60 cmd.exe 41->60         started        144 Uses powercfg.exe to modify the power settings 44->144 146 Modifies power options to not sleep / hibernate 44->146 64 2 other processes 44->64 66 5 other processes 46->66 68 2 other processes 48->68 70 2 other processes 50->70 72 2 other processes 54->72 file15 signatures16 process17 process18 74 conhost.exe 56->74         started        76 conhost.exe 60->76         started        78 timeout.exe 60->78         started        80 conhost.exe 62->80         started        82 conhost.exe 62->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35c45ea469ba26fe2b6d8dfc626006070a5b27378c060b1c7e38edb94a26490c/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 14:27:08 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxcf5jdjxitp4k3nrx6geyaga4ffwjzxrqdawhd6hdw3ssrgjega._file
Verdict:
malicious
Similar samples:
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
CoinMiner
3e12feacf2c7f28a71ade378c01afb4ff35c137e43840d3570cf1e820414f0c1
CoinMiner
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
CoinMiner
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
CoinMiner
d1044c3ddb7c69269654bdf6c25b0a3640b2a1be2caed5637b81b96ebdf04497
CoinMiner
d92db9c78fa87d6a9daf30ba9abc7056480f541d7a6b0b17a9f100109df8e6c9
CoinMiner
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5
CoinMiner
+ 807 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer
Link:
https://tria.ge/reports/221027-ebmn8aaec2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
193.164.16.192:47029
https://t.me/slivetalks
https://c.im/@xinibin420
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f1379933-7c5b-423d-b91a-23406868a83f
Unpacked files
SH256 hash:
35c45ea469ba26fe2b6d8dfc626006070a5b27378c060b1c7e38edb94a26490c
MD5 hash:
5bd89f22193f6b9f30286ecff6eed072
SHA1 hash:
e14935e400d03526d972c5f3948ad718e7155525
Link:
https://www.unpac.me/results/d870198d-a270-4f3f-bb55-f5bc20de2925/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35c45ea469ba26fe2b6d8dfc626006070a5b27378c060b1c7e38edb94a26490c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324662/

Comments