MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
SHA3-384 hash: 59d063046bdf34cf9ce59edea9472a63e5631df59b285786b0dbe36525ec51bbbcd915704b7445990537c93b79867a97
SHA1 hash: 53576b01d3c5fb08c80afb93d0778db0a75bc215
MD5 hash: cab9ec528dab8361797680046e26a13a
humanhash: georgia-chicken-violet-princess
File name:winrar-x64.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'954'192 bytes
First seen:2023-11-28 15:25:41 UTC
Last seen:2023-11-28 17:17:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 98304:c9iZasQra4ios7RjnRU4UApr2Y52k6hZTcuyFq7c2OtY:bZa5+osNbxrZ6hp42OtY
TLSH T1D7369D31724AC52FE96201B1192C9A9F512CBF360BB254CBB3DC2E6E1BB55C21736E17
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter Xev
Tags:CoinMiner CoinMiner.XMRig Downloader exe GuLoader signed

Code Signing Certificate

Organisation:Siam Computer (MD Kamrul Hassan)
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-03T00:00:00Z
Valid to:2025-03-02T23:59:59Z
Serial number: e9e59f1418040e5a1e8ae92f0aec83d8
Intelligence: 21 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 80b7c22c5659dd209dc6750bc8141ccc53130dd903eeff9b382be9a8c8164347
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NIXLovesCooper
https://s3.us-east-1.amazonaws.com/cd04ce1a/winrar-x64.exe
Distributed via: https://freesoftplace.com/software/winrar/

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://gofile.io/d/TPlMNj
Verdict:
Malicious activity
Analysis date:
2023-11-28 19:52:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4dab1a7-1df2-4b74-80fa-1a232f8289c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460981/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.11564.2682.17566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Searching for the browser window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Possible injection to a system process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6566068fbcca970107d0c3a7/reports/5a23a9c5-2f00-449a-b0ed-db3b49fc6c43/overview
Verdict:
Malicious
Labled as:
Trojan.Stealerc
Link:
https://www.hybrid-analysis.com/sample/3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c51c0c2b-d427-423b-9bdd-d16d4739cadf
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/1349380
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Powershell drops PE file
Uses whoami command line tool to query computer and username
Very long command line found
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349380 Sample: winrar-x64.exe Startdate: 28/11/2023 Architecture: WINDOWS Score: 75 100 s3.us-east-1.amazonaws.com 2->100 102 aondbucjga9x.s4.adsco.re 2->102 122 Antivirus detection for URL or domain 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 Yara detected MalDoc 2->126 128 2 other signatures 2->128 10 msiexec.exe 3 32 2->10         started        14 winrar-x64.exe 26 2->14         started        16 svchost.exe 1 2 2->16         started        signatures3 process4 dnsIp5 76 C:\Windows\Installer\MSIBE46.tmp, PE32 10->76 dropped 78 C:\Windows\Installer\MSIBD98.tmp, PE32 10->78 dropped 80 C:\Windows\Installer\MSI3975.tmp, PE32 10->80 dropped 88 10 other malicious files 10->88 dropped 136 Drops executables to the windows directory (C:\Windows) and starts them 10->136 19 msiexec.exe 32 10->19         started        22 msiexec.exe 10->22         started        25 MSI3965.tmp 2 16 10->25         started        82 C:\Users\user\AppData\Local\...\MSI2E55.tmp, PE32 14->82 dropped 84 C:\Users\user\AppData\Local\...\MSI2E25.tmp, PE32 14->84 dropped 86 C:\Users\user\AppData\Local\...\MSI2E04.tmp, PE32 14->86 dropped 90 3 other files (2 malicious) 14->90 dropped 27 msiexec.exe 14->27         started        98 127.0.0.1 unknown unknown 16->98 file6 signatures7 process8 file9 72 C:\Users\user\AppData\Local\...\scr3A87.ps1, Unicode 19->72 dropped 74 C:\Users\user\AppData\Local\...\pss3A98.ps1, Unicode 19->74 dropped 29 powershell.exe 16 19->29         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        130 Bypasses PowerShell execution policy 22->130 38 chrome.exe 1 25->38         started        signatures10 process11 dnsIp12 138 Very long command line found 29->138 140 Encrypted powershell cmdline option found 29->140 142 Uses whoami command line tool to query computer and username 29->142 144 Powershell drops PE file 29->144 41 powershell.exe 2 27 29->41         started        44 conhost.exe 29->44         started        46 powershell.exe 32->46         started        50 conhost.exe 32->50         started        52 powershell.exe 34->52         started        54 conhost.exe 34->54         started        56 powershell.exe 36->56         started        58 conhost.exe 36->58         started        104 192.168.2.4, 443, 49733, 49734 unknown unknown 38->104 106 192.168.2.9 unknown unknown 38->106 108 239.255.255.250 unknown Reserved 38->108 60 chrome.exe 38->60         started        signatures13 process14 dnsIp15 132 Potential dropper URLs found in powershell memory 41->132 134 Uses whoami command line tool to query computer and username 41->134 62 chcp.com 41->62         started        64 whoami.exe 41->64         started        110 s3.us-east-1.amazonaws.com 52.217.229.56 AMAZON-02US United States 46->110 92 C:\ProgramData\BraveCrashHandler.exe, PE32 46->92 dropped 66 chcp.com 46->66         started        112 52.216.39.112 AMAZON-02US United States 52->112 94 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 52->94 dropped 68 chcp.com 52->68         started        114 52.216.245.190 AMAZON-02US United States 56->114 96 C:\Users\user\...behaviorgraphoogleCrashHandler64.exe, PE32 56->96 dropped 70 chcp.com 56->70         started        116 premiumvertising.com 162.252.214.11 TUT-ASUS United States 60->116 118 4.adsco.re 162.252.214.5 TUT-ASUS United States 60->118 120 22 other IPs or domains 60->120 file16 signatures17 process18
Score:
5%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 02:50:54 UTC
File Type:
PE (Exe)
Extracted files:
98
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkxnul45scdltfqmjum6dd55hmadhxt7yq636o3ep5yktlaje3za._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/231128-st7zrsbb3w/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Checks whether UAC is enabled
Enumerates connected drives
Blocklisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
MD5 hash:
cab9ec528dab8361797680046e26a13a
SHA1 hash:
53576b01d3c5fb08c80afb93d0778db0a75bc215
Link:
https://www.unpac.me/results/5c43b3ab-3104-48e9-b43d-ad3a34a65d93/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3aaeda2f9d90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2

(this sample)

CoinMiner

Executable exe 2fa34c4fc0ec5810af33c51465647aa5f90654273f3e0756325c8d4817b17a64

  
Dropping
GuLoader ee4f4c4d03033e6a3361948b56f83dda91d82f4433a4c744c1b7124e73dab56e
  
Dropping
GuLoader ffc73cfd8d1964491159c87fc2d6fdd221716b06c7562b56039db4a29f9631c9
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460981/
  
Dropping
SHA256 2fa34c4fc0ec5810af33c51465647aa5f90654273f3e0756325c8d4817b17a64
  
Dropping
MD5 06b592fef39a6c6f5f816d27a361ce80
  
Dropping
SHA256 25368f648491ac3483fd20c5cbef764cb920e0cab6fa287bb57cda03d70681d5
  
Dropping
MD5 2c51b09ee454b3a3a7d40db7421dcac9
  
Dropping
SHA256 ffc73cfd8d1964491159c87fc2d6fdd221716b06c7562b56039db4a29f9631c9
  
Dropping
MD5 3323830f1a658cab413fdc71ac6218b3
  
Dropping
SHA256 2d7347d8a4191e61b13372d61fb5fb884a68ebea6469547edb2915d89f976ae1
  
Dropping
MD5 d95381111380c6d9985700cb6c0ff344
  
Dropping
SHA256 ee4f4c4d03033e6a3361948b56f83dda91d82f4433a4c744c1b7124e73dab56e
  
Dropping
MD5 91d50ca825469c5efb39f92bde7b7344
  
Dropping
SHA256 c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de
  
Dropping
MD5 c904b4a7114cdd828f404f381b635e81

Comments