MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1
SHA3-384 hash: 65201a84c9fd8d11209ff26765d04d5e1366e12248f54293e9efac12e5016c4cf9e4313336f2547b737b644756fdac97
SHA1 hash: c21d22edc7fe7d20802bd80563ed1b343d30ce79
MD5 hash: b1a39ffcffb09c433d76def7702d851a
humanhash: eleven-pip-pasta-oxygen
File name:b1a39ffcffb09c433d76def7702d851a.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:15'379'174 bytes
First seen:2021-12-13 20:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 393216:J43Bcajy5cx9AcNRG4I2JROUza+ahH+dTJe4Z9s:J42aGmlGZ5H+dTLC
Threatray 799 similar samples on MalwareBazaar
TLSH T171F6338F63E624E5C241EA319068B3B3EEE98428263545B84F5634CDEF409EC5FEE535
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
185.215.113.29:34865

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:34865 https://threatfox.abuse.ch/ioc/275409/
141.94.105.6:13633 https://threatfox.abuse.ch/ioc/275420/
2.56.57.226:58019 https://threatfox.abuse.ch/ioc/275421/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1a39ffcffb09c433d76def7702d851a.exe
Verdict:
No threats detected
Analysis date:
2021-12-13 21:29:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6ffe914-06a7-4e07-84e6-7d0a26b76718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61b7a830db84542d41bd4b35/reports/78a8b2d8-7d64-40a9-82aa-984f550b014e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0b83c6e-52fe-46dd-8d7f-9e863275c2a3
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906707
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Execution Of Other File Type Than .exe
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 539187 Sample: diBfYpFaeM.exe Startdate: 13/12/2021 Architecture: WINDOWS Score: 100 63 37.0.10.199 WKD-ASIE Netherlands 2->63 65 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 2->65 67 28 other IPs or domains 2->67 81 Multi AV Scanner detection for domain / URL 2->81 83 Antivirus detection for URL or domain 2->83 85 Antivirus detection for dropped file 2->85 87 30 other signatures 2->87 11 diBfYpFaeM.exe 10 2->11         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->53 dropped 14 setup_installer.exe 28 11->14         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\...\Wed06fc5122a89.exe, PE32 14->57 dropped 59 C:\Users\user\...\Wed06fabc97998c6c.exe, PE32+ 14->59 dropped 61 23 other files (17 malicious) 14->61 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 77 Adds a directory exclusion to Windows Defender 17->77 79 Disables Windows Defender (via service or powershell) 17->79 20 cmd.exe 1 17->20         started        22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 9 other processes 17->26 process10 signatures11 29 Wed0657e60aa3479c.exe 20->29         started        32 Wed06e0be58a9a1c4d.exe 22->32         started        34 Wed06d094df07068a7.exe 24->34         started        89 Adds a directory exclusion to Windows Defender 26->89 91 Disables Windows Defender (via service or powershell) 26->91 38 Wed06e8985bab65939.exe 26->38         started        40 Wed06274025af.exe 2 26->40         started        42 Wed06de78316a25.exe 1 26->42         started        44 3 other processes 26->44 process12 dnsIp13 93 Multi AV Scanner detection for dropped file 29->93 95 Detected unpacking (changes PE section rights) 29->95 97 Machine Learning detection for dropped file 29->97 113 4 other signatures 29->113 99 Detected unpacking (overwrites its own PE header) 32->99 101 Injects a PE file into a foreign processes 32->101 103 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 32->103 46 Wed06e0be58a9a1c4d.exe 32->46         started        69 148.251.234.83 HETZNER-ASDE Germany 34->69 71 8.8.8.8 GOOGLEUS United States 34->71 73 2 other IPs or domains 34->73 49 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->49 dropped 105 Antivirus detection for dropped file 34->105 107 Creates processes via WMI 34->107 51 C:\Users\user\AppData\...\Wed06274025af.tmp, PE32 40->51 dropped 109 Obfuscated command line found 40->109 111 Adds a directory exclusion to Windows Defender 42->111 file14 signatures15 process16 dnsIp17 75 103.70.137.155 VALUEHOSTED-ASTHEVALUEHOSTEDPVTLIMITEDPK Pakistan 46->75
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 17:46:23 UTC
File Type:
PE (Exe)
Extracted files:
423
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hi6pmsz6lfc2jen67qsaynnq2eve43ccv432tvw7nt2fpre4koyq._file
Verdict:
unknown
Similar samples:
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
CoinMiner
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
CoinMiner
63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb
CoinMiner
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
CoinMiner
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
CoinMiner
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
CoinMiner
+ 789 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:socelars family:vidar botnet:03.12_build_3 botnet:4da27d123a577c68e42716053343dd3f8da508a2 botnet:efc20640b4b1564934471e6297b87d8657db774a aspackv2 discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211213-ywkj5sfchl/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
Raccoon
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.wgqpw.com/
45.9.20.221:15590
Unpacked files
SH256 hash:
1908cac443610b332e8adfc72481d2a225b72e679ff468d1643782e9c2d96e7c
MD5 hash:
60d12965e7dd763580b316f0743731c6
SHA1 hash:
54b2f29a834a6f9e931a19e3f53c27a132e19c19
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
3bb55b0de90de0cc651dba71c869675c4fb5cfd1b9b21bd4957f1680f7506f06
MD5 hash:
f9d056f1d085e83a64c8ef2ba5f3be52
SHA1 hash:
bf04d73f991d0e45d459a5341593524e4e498801
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
e79196a498f1a7703639bb0daeccd3fb827a45d14cbf602ab4002a492f844ae0
MD5 hash:
76c11964a9cdd3eb38e24493bcef5ec2
SHA1 hash:
9f5d67397d1303c97dfbd463c2ff8c540fea48f9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
Parent samples :
a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
981b90f1d189a21e3b3cc5363f369aa6534614cb63dc76de811aacd583a43b30
94566da96be8685e33c7e21e6b215c53aff7aca4ae105271792e3dcd9e631c63
8f2fe9050989fa67b5075ca8f19c993eac27095da963de63ccbb42e3dc212008
334c12ac95110f2424793e8cb268220e4b89dd622c62849e203481a5ef493c9b
6d7553b09093dc8ff76acdb351b4cef88aebaa05ee58c1ecab5339d03c68a10a
3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1
236dad58970dbb32df7df1c6e317cf5c2a4cba4ec44e872542d926c709026f6c
e282ef9e1d23c80f8ef68d929b2a45352d7932e4f115d662774044b349fe7857
665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e
0f31fcaa49855c3a40398e2e85604dc062bb4f51e538d689dad2851ea18760ab
2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
1d18c3c86d70c5371e761ba77c60c9361183edc26368e56b5c0d1c3ea8d150ea
c082990403156e860fc5397a9d28d44325bcb24d24a97ad048f1d311a5109451
0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
c2af7c600bb6c62e089fb2a54f965d4a054ae2a149b70f00eff8b22e60e2c84f
MD5 hash:
f394ceab5c1b95f24145caf02d1f652e
SHA1 hash:
86f5a9596d5d4e50c5f65a65e38ae414055a18a4
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
da37723dbc887717a85940cdc3bda4a630d31e94a7af355558452a7c8d8ca5de
MD5 hash:
18f6ecc14ec6cbf833e7ab3dd31b5b36
SHA1 hash:
c2da6b4b158331a7f7bb9fa47f111e6fec7b8ecb
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
63525b0c1ef894632109c3169876b9e2ce728e38ed7f7c574021d5261d56e502
MD5 hash:
ff9b14f4f607a81117cc58916332262e
SHA1 hash:
aed4fe230075f2a067e4ac61fac117aaeb5ef6f9
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
d51ab967ebe9743a94b1a8c25d6495b3f29ad5db65e8ff24fdccd3f4cf9468b3
MD5 hash:
a63ebf5064a9afb6bfdf62692c12a4ec
SHA1 hash:
d1a16d3e0da466448d3e653cc5bca7db7a42e312
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
a9ce388d6bf8993725554fd178640ac10d8a194194f4f09b31e0465b83a975b0
MD5 hash:
33b0faae2f9635e7650cde45e82a12ba
SHA1 hash:
0acbfbbf81760a70b05f617717eee9ff4b4aacdc
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
a79bdefdfee7d93c5f40f58ec3ee4dddc2fd5cc5a825a8bae82cc10b2ebbd57e
MD5 hash:
538c3da0b00bb4b267a5661621498a2a
SHA1 hash:
e697df73133cf9fe30cec5812187af3813cc27a5
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
24b97ba37ecb18d76edd5a0252bc83af0a2e1f0829a392f57f7079ac3d37d45f
MD5 hash:
be81cb0ab446ef562fe7bf61a286e48e
SHA1 hash:
df0fcd6713e7b4be5dbcac486adedee0f62b2210
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
d0827b80db9fcd3e05c3f53f0cdaa0cb66667cc1e45c82a7e91a808ab0f92ec7
MD5 hash:
2f2f354704b1256d6ac4f0f7a32a22a2
SHA1 hash:
d31943845c2ee57fffd0c0ddbb6603a814949a7e
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
2a8d4016d47cd9824c025214fd5880384150dc64ad2a440c7cde620c131112ff
MD5 hash:
e333e3b0a2eabad2a5422bf80740fd19
SHA1 hash:
d20bf0b4f59b19cca12b7ea541dc3a581052944d
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
64317ea88e4a66f651aeff17e7baa7a140836db94406b004a2ee213c6916cca5
MD5 hash:
69f7b12de72604fece6d4139a2922569
SHA1 hash:
d1a12bdc4db8f566e21be7b64c3f9d414bf08707
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
46137ceef7b178ae5d148da4994173846b29e89404469f178e1fc7c48c153d1e
MD5 hash:
e54ba96583d05ed2eb3296b236962e1e
SHA1 hash:
cfd8ec7f597de3437a6eb2c79880e4f5bda28c5e
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
a8fb7d0fea3037b1aee1899a46918d5413251131bfc0da9bf1752429994251a2
MD5 hash:
370a2e64392fcb58c48f4ee4f9ad90bd
SHA1 hash:
c07bafa98fc4dabd5413522fd6103796bfdeaacb
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
64f55d5e15b9dbbb0d6e16ffb9aceaee91ee440beef80e4cd1b74b0ded11c7c1
MD5 hash:
1404f942070e57b2ef0b6b3693f730be
SHA1 hash:
7ef83b925afb34c52627b66ad960400fbc1bf776
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
06931180fa37ccb23c480ae8a9e63d4a00b7dd5f771a26bf92e63c63953b5680
MD5 hash:
750c277e66adb0d4582bc5f2298f36b0
SHA1 hash:
6415c3b9b57ecf533eb2267115e3897714cbf50f
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
eb66c18a9677e2bc793ae867658015d59a52aede8e01aac29deb36f9e45e5799
MD5 hash:
4e2a575495500635f1c9a71d6c539661
SHA1 hash:
49c2163a2658facd504e6aa167c552420f065f45
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
deccbafba786dcc9d2b819c6af7bbf7935f26a8fc8dbd46694108c6d876f223d
MD5 hash:
64cfa930eee29215af3ecb7c0a978497
SHA1 hash:
3304dff61dae41bd44928e866260a8cbe5c93e28
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
12b017a79bd64c85c2651d14a72bf2986144ee57d070ec87801362dedc906b2b
MD5 hash:
c360fbaf443bb6f8f3d6a3efac321cd4
SHA1 hash:
2f5e9d3830ba64233ff3553fa30e149fac459c12
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
3e627ea5a0a3ed72c6f60b3a9c3ee0a2264cc22178ea20aba1cedb43919a60e3
MD5 hash:
ebfee6765c7e448e3ea21b40550d1a70
SHA1 hash:
08464d94727b3a9f523b93ddbaf21191c65214e5
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
6d3a5fa28a27c60a59ab6e6b01e673a9689f8797da8e80b52290160723a727d9
MD5 hash:
6f343596bd5e45835310166f8b66cbed
SHA1 hash:
1a8adb35f761f01c7e2035e4d2eebd22df50dee1
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
d63273921b1f19de7cf7aa0444d4e13bbaf14163145993464c9d57da9a1796d8
MD5 hash:
5b4abd0a093f83ff1b6470a3cc950a84
SHA1 hash:
266663dd00a77922ffd151a281a1850bafb95011
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
a86711895e6b0f5965c911b552fddec5965b3de8e403ec052fe87a104563072c
MD5 hash:
ec1f500cd82cfd4d6d2ee07e193c57c1
SHA1 hash:
cdcfb554a3378fcbe728cb032e64f63c6a838fa9
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
9e964d5475264912f9f37fca1eab1894f39b4fadf16d511cc7cabc89799dacf2
MD5 hash:
99da60c67e91833f0f14a35239d88d3e
SHA1 hash:
9f113821a70dc68b6461e7049ed36b169e3091d1
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
6c9ce72759d9e786bb76a4cc7b8fd1bf97152ba416ca4b98760c5384a8a1c109
MD5 hash:
904c3c13feee679295f092925454bfae
SHA1 hash:
b81764bff9f98d633bf5d6399af6b36467587d7a
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
772ff87d10117f8783dc5c58f76cf25cc92cb9f17355722e9d2a89ad5efe1972
MD5 hash:
8ea7619c6cb890058333572d71439680
SHA1 hash:
1454744fa83ba1f5727aafe6a7ed827e27ec75db
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
e6c2bdf7bf9615e0930a0bdbdb4c0b849f94f48a308b58cdae14d1ff51327df0
MD5 hash:
9385d717a77948d95c409f0927a38263
SHA1 hash:
dd41f078b80d4e44e24528bb5fe112bb556bcfa8
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
5ee4260e238ec8f0859d48b86a0dad1829535c96bdf815f414523b4e330e05a1
MD5 hash:
517cc7b57adca764cbb4cea45cbdd657
SHA1 hash:
41475fc54273f60e931d66d712887959d8e00b77
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
SH256 hash:
3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1
MD5 hash:
b1a39ffcffb09c433d76def7702d851a
SHA1 hash:
c21d22edc7fe7d20802bd80563ed1b343d30ce79
Link:
https://www.unpac.me/results/6d332dce-a162-4a96-8b08-3e3558ef2685/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments