MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
SHA3-384 hash: a45faca5800325b7dba6bdd7223d4c7037d32ba3f13cd4b0dd3dfb952283197b8d7711d620bc25c3595d6a91082aaafc
SHA1 hash: de73837e5007a4ccda1f011ecf2a3ca9c2f1800d
MD5 hash: e4abe46c7a7221dbbdb27ea661c0d582
humanhash: dakota-nitrogen-zulu-table
File name:3A6CA6A75525505890DC5D13AB3D888135B1CB4922605.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'053'086 bytes
First seen:2022-01-05 13:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x42+b8wNlWxevCUor7wop94XD+3NvoGcZqzNIX:xByWgtorMor4XDaNvoGoWNIX
TLSH T130163310BEE7C87FDA210130D955AB6677FED20DA3158EE7B7208B4A532E11AC07EB54
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
185.151.240.132:33087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.186.120/ https://threatfox.abuse.ch/ioc/290704/
185.151.240.132:33087 https://threatfox.abuse.ch/ioc/290926/

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3A6CA6A75525505890DC5D13AB3D888135B1CB4922605.exe
Verdict:
No threats detected
Analysis date:
2022-01-05 13:41:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ee6944c-d7ca-4d49-ae56-c9ba9f5c66e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217442/
Detection(s):
Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/61d59f0092bdc4b407807da0/reports/9e46ce71-60dc-4072-8739-cc578bc91551/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f59f2438-b844-4003-a748-de9efeff5e52
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915822
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 548300 Sample: 3A6CA6A75525505890DC5D13AB3... Startdate: 05/01/2022 Architecture: WINDOWS Score: 100 64 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->64 66 148.251.234.83 HETZNER-ASDE Germany 2->66 68 149.28.253.196 AS-CHOOPAUS United States 2->68 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 20 other signatures 2->92 9 3A6CA6A75525505890DC5D13AB3D888135B1CB4922605.exe 21 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Fri05f39f0138d9865.exe, PE32 9->44 dropped 46 C:\Users\user\...\Fri05e4c289a2636f5a2.exe, PE32 9->46 dropped 48 16 other files (11 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 84 127.0.0.1 unknown unknown 12->84 118 Adds a directory exclusion to Windows Defender 12->118 120 Disables Windows Defender (via service or powershell) 12->120 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 12->20         started        22 9 other processes 12->22 signatures8 process9 signatures10 25 Fri05e4c289a2636f5a2.exe 16->25         started        30 Fri05db39f2a9e6.exe 18->30         started        32 Fri059126e7332920.exe 20->32         started        94 Adds a directory exclusion to Windows Defender 22->94 96 Disables Windows Defender (via service or powershell) 22->96 34 Fri05f39f0138d9865.exe 4 18 22->34         started        36 Fri054fc29c6f01cc074.exe 22->36         started        38 Fri059a0d48112c6b.exe 22->38         started        40 4 other processes 22->40 process11 dnsIp12 70 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 25->70 76 12 other IPs or domains 25->76 50 C:\Users\...\JQQRDx1jQJkjyxeIHxK1GOGp.exe, PE32+ 25->50 dropped 52 C:\Users\user\AppData\Local\...\file2[1].exe, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\...\f[1].exe, PE32 25->54 dropped 62 39 other files (11 malicious) 25->62 dropped 98 Antivirus detection for dropped file 25->98 100 Creates HTML files with .exe extension (expired dropper behavior) 25->100 102 Tries to harvest and steal browser information (history, passwords, etc) 25->102 104 Machine Learning detection for dropped file 30->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->106 108 Maps a DLL or memory area into another process 30->108 110 Checks if the current machine is a virtual machine (disk enumeration) 30->110 78 2 other IPs or domains 32->78 112 Detected unpacking (changes PE section rights) 32->112 80 6 other IPs or domains 34->80 56 C:\Users\user\...56iceProcessX64[1].bmp, PE32+ 34->56 dropped 58 C:\Users\...\eyJW7H0R8lGKikphBjOGpoyo.exe, PE32+ 34->58 dropped 114 Disable Windows Defender real time protection (registry) 34->114 72 172.67.204.112 CLOUDFLARENETUS United States 36->72 60 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 36->60 dropped 116 Creates processes via WMI 36->116 82 3 other IPs or domains 38->82 74 162.159.133.233 CLOUDFLARENETUS United States 40->74 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b/
Threat name:
Win32.Trojan.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 13:21:14 UTC
File Type:
PE (Exe)
Extracted files:
111
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjwknj2vevifreg4luj2wpmiqe23ds2jejqfxyhoir2xsmc3lzfq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:chrisnew botnet:media21 botnet:sehrish2 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220105-qws8aaafen/
Behaviour
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
194.104.136.5:46013
135.181.129.119:4805
91.121.67.60:23325
Unpacked files
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
62aa90b21e22bb662ef9923f220fe854c206af67ad2cf1776030ccfd8e8cf567
MD5 hash:
ec26b8c7d5a5b27039e7b38d1165da92
SHA1 hash:
66ae32262b2c5def873f474df2ebc941b337ec24
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
fa32e4c916505f47cf16420c5ba90c34494a5ae5425eb12dfef2d497a7af058d
MD5 hash:
39ed7f5faa39e84c65144007d0c675c0
SHA1 hash:
f406d44b03dc16568b1735f3e037138901956704
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
3c7eafd4b40f81bb7bdfb00c5a9d5fc741ddd12ed6d660db826de783aa429b25
MD5 hash:
350b836e6fbd8d8a1f104ebdd82ed0f7
SHA1 hash:
e19ab63560fe796fe7fd140bf315aeff412cde6a
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
9551ec7b4cf5fbdf24e2fb00774d25b48f454d2e07b5e87a382e9d4a4dd20034
MD5 hash:
731a9da888ff8621c0f2d4b55f3acd5e
SHA1 hash:
cf9255067484c4ae63aa9788ab9196581942c908
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
b3dcba8a5bc137c22566984e9fafc78fd5175eaca6a48a628bcb0686d78b3986
MD5 hash:
346d64c02ecfcff0b2fbdc3c1c066e2b
SHA1 hash:
b68034f5ebd0f4d986d61ec1020907742b656e00
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
87c46f3270f7cecb5b1d2ee881eba4654624e01c7504470c2edd8195ce996535
MD5 hash:
710d007acfefefac0654df0374e60c48
SHA1 hash:
834feacd6e422ae146f128eeb5e48a4aebc6472e
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
eb46a5dd639179cb261cb797527a343bb32bc8e44efe6a9620cd94392b9734ce
MD5 hash:
a8cdf3dfd3908d9e908bceda5eb17e64
SHA1 hash:
33e0d68fb94117c57ae0bdc121567d440f5ece90
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
MD5 hash:
9074b165bc9d453e37516a2558af6c9b
SHA1 hash:
11db0a256a502aa87d5491438775922a34fb9aa8
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
9941a61dda29fe19d16bcf1cdc930bd0e12f613fa824382bf4c9ad27161f0c39
MD5 hash:
d76610249aa11303c3fbb33a64c6146c
SHA1 hash:
049f54f3ed8a423a0fa08e6a3699818fef5ae9d8
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
c347a863ee10a621b0368d2c52e297fe82f4a70f5223bdf5e1cc332cfbb300b3
MD5 hash:
222c2101d2689ccd889d864cefc0e52c
SHA1 hash:
dfc809a6dd96db2ceb701883dff3fe826d2b6d69
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
a35413923a9fca94c8d334a4bd042788063523a1a5a710875d1cf62df9f450e4
MD5 hash:
e05148f4f52955b1cd8e2fcf4348aaab
SHA1 hash:
98a66623506c2e43d7b7332701aca0221ce5d19a
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
af51e4603381d728fd4f2a2de5128f23d44283526dbc0e3afad775386cd1c549
MD5 hash:
57244a197cbc23ae392fb4802b2989e6
SHA1 hash:
41ee255b81ac60384e213dd0e9b3535a165a9d34
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
e92c420150c1e31b220cac0a206517912249fb8cab40689eaf98063b52f1a7d1
MD5 hash:
652651d52f1a2c4dfdfe38908302b2b2
SHA1 hash:
e574edccacfde477004313065e5986662bb3617f
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
e98c3c40d2ddae73d48848c08aafb3ea923141e12fd7db3b3ef4e00e8d6d22f8
MD5 hash:
863abc50625e39e204cc18b0c13098d8
SHA1 hash:
0952f459739cc87ab1117fb685fcfcf43e668bd8
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
SH256 hash:
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
MD5 hash:
e4abe46c7a7221dbbdb27ea661c0d582
SHA1 hash:
de73837e5007a4ccda1f011ecf2a3ca9c2f1800d
Link:
https://www.unpac.me/results/123e481e-aaac-4fcc-8c98-73cfae0a09fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217442/

Comments