MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be27e6954e9f1ad80c57c82c3f27f2174463824667131d6b5cbdd56a79d32e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3be27e6954e9f1ad80c57c82c3f27f2174463824667131d6b5cbdd56a79d32e0
SHA3-384 hash: 8cfc98393e84702f0aed9cbfa1cdac4a2428c7d760c50c94a00d8192d43bb4cf9e152e6fe4396361ea65b33bb0c83df4
SHA1 hash: 43c41e316b2a0f9f3cd07788194e1cd5ca0e0e40
MD5 hash: be21cf068deb2031ddf6d4fea6382108
humanhash: dakota-steak-thirteen-butter
File name:be21cf068deb2031ddf6d4fea6382108.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'263'424 bytes
First seen:2022-03-01 21:26:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 98304:qqZQ3c71adx+tb9Dked9lvPl4Px+/WlHT:jSckstbNB3tl4JzT
TLSH T1D516228C7264B1CFC85BC035D9A42E69FB61757B470B9307A45786AEAE0D98BCF140F2
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
91.243.59.18:3359

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.18:3359 https://threatfox.abuse.ch/ioc/391640/

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mega.nz/file/UuA3kChS#BGANoZfycd3TbiX6aueUWCdET0qZ1aRMlEC35QeWm6I
Verdict:
Malicious activity
Analysis date:
2022-02-26 21:36:21 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/665c2816-0910-413a-a564-7310ca914546

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246036/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Fragtor-9940182-0
Create hunting rule

Win.Packed.Crypterx-9940465-0
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun for a service
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7810/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed schtasks.exe shell32.dll
Link:
https://www.filescan.io/uploads/621e8facdfdfa8501c7355c9/reports/8c41192b-c468-4468-b21a-e9ed3010d313/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2fcab8c-a6db-4803-808c-f71a5c64e047
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948660
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581139 Sample: yIzDIdBXVf.exe Startdate: 01/03/2022 Architecture: WINDOWS Score: 100 69 siasky.net 2->69 71 pool.supportxmr.com 2->71 73 pool-nyc.supportxmr.com 2->73 87 Sigma detected: Xmrig 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 15 other signatures 2->93 11 yIzDIdBXVf.exe 3 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 9 1 2->17         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 61 C:\Users\user\AppData\Local\Temp\vape.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\Local\Temp\V4.exe, PE32 11->63 dropped 22 vape.exe 15 6 11->22         started        27 V4.exe 1 11->27         started        111 Changes security center settings (notifications, updates, antivirus, firewall) 14->111 65 127.0.0.1 unknown unknown 17->65 67 192.168.2.1 unknown unknown 17->67 file6 signatures7 process8 dnsIp9 75 checkip.dyndns.com 193.122.130.0, 49728, 80 ORACLE-BMC-31898US United States 22->75 77 raw.githubusercontent.com 185.199.108.133, 443, 49726 FASTLYUS Netherlands 22->77 79 2 other IPs or domains 22->79 57 C:\Users\user\AppData\...\Windows Service.exe, PE32 22->57 dropped 59 C:\Users\user\AppData\...\Windows Helper.exe, PE32+ 22->59 dropped 95 Multi AV Scanner detection for dropped file 22->95 97 May check the online IP address of the machine 22->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 22->99 101 Adds a directory exclusion to Windows Defender 22->101 29 Windows Helper.exe 22->29         started        33 schtasks.exe 1 22->33         started        35 powershell.exe 25 22->35         started        41 2 other processes 22->41 103 Machine Learning detection for dropped file 27->103 105 Writes to foreign memory regions 27->105 107 Allocates memory in foreign processes 27->107 109 2 other signatures 27->109 37 conhost.exe 27->37         started        39 AppLaunch.exe 27->39         started        file10 signatures11 process12 dnsIp13 81 104.140.201.42, 3333, 49734 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 29->81 83 pool.supportxmr.com 29->83 85 pool-nyc.supportxmr.com 29->85 113 Query firmware table information (likely to detect VMs) 29->113 43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 41->49         started        51 conhost.exe 41->51         started        signatures14 115 Detected Stratum mining protocol 81->115 process15 process16 53 MpCmdRun.exe 45->53         started        process17 55 conhost.exe 53->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3be27e6954e9f1ad80c57c82c3f27f2174463824667131d6b5cbdd56a79d32e0/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2022-02-26 15:06:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
37 of 40 (92.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hprh42ku5hy23agfpsbmh4t7ef2emobemzytdvvvzpovnj45glqa._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220301-1aq6xabfb7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Suspicious use of NtCreateProcessExOtherParentProcess
xmrig
Unpacked files
SH256 hash:
15fedced8d8113cb555e29572b8adce6ad9bdb7a591633c2b4d2a0bb2d52742e
MD5 hash:
1af6d725cc6f269314e3dff9fa879533
SHA1 hash:
c70daf0a73caed2dbbb58d0e51cf9a299174927a
Link:
https://www.unpac.me/results/b70e33c4-c8b4-4a5b-919f-16dfc58b023d/
SH256 hash:
bce93e3e5976bae4d50aa81d8e6838dab202d42c7e954852432f8d1a0052bcec
MD5 hash:
a3a28120b4e5a22f0cb1b781f5592c7c
SHA1 hash:
f6b9d2c05217707465f6e0f657410a1e04c5d262
Link:
https://www.unpac.me/results/b70e33c4-c8b4-4a5b-919f-16dfc58b023d/
SH256 hash:
134642a499fb65c02996fde1d8a071f0c50f8c6fc823bd922fa2ed3f97beaff9
MD5 hash:
fc11eb1ed6b8d217f2874f85159b5473
SHA1 hash:
de10e02312664b5a748f853bc4ed008a0b7d26ab
Link:
https://www.unpac.me/results/b70e33c4-c8b4-4a5b-919f-16dfc58b023d/
SH256 hash:
3be27e6954e9f1ad80c57c82c3f27f2174463824667131d6b5cbdd56a79d32e0
MD5 hash:
be21cf068deb2031ddf6d4fea6382108
SHA1 hash:
43c41e316b2a0f9f3cd07788194e1cd5ca0e0e40
Link:
https://www.unpac.me/results/b70e33c4-c8b4-4a5b-919f-16dfc58b023d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3be27e6954e9f1ad80c57c82c3f27f2174463824667131d6b5cbdd56a79d32e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246036/

Comments