MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
CoinMiner
Vendor detections: 11
| SHA256 hash: | 3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d |
|---|---|
| SHA3-384 hash: | 868766383a4249466a60c0129afe20c8efebee0ab8bf9b795e14dc569a71a2b3623f03b689e8948378764708c60dcaf1 |
| SHA1 hash: | fcca1e88a99e2f20403e963b798e3f68f58d638d |
| MD5 hash: | 65eed0fdbee8b81c1b9118f86700c6fd |
| humanhash: | texas-orange-burger-may |
| File name: | setup_x86_x64_install.exe |
| Download: | download sample |
| Signature | CoinMiner |
| File size: | 4'602'220 bytes |
| First seen: | 2021-09-10 21:04:29 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 98304:yNARW1EZaiFNHUPjom9RyG4fN4xeKQJRahxxvqbteLUZ50bIU2:y2I+dN0PN8G4fKfQDcbqbteLUqIT |
| Threatray | 538 similar samples on MalwareBazaar |
| TLSH | T10C26336E2BCBB09BDC4BC9743C44E9191134D6D1B32F1257271537BEB2CBB098D89268 |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter | Anonymous |
| Tags: | CoinMiner exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 20:53:55 UTC
Tags:
trojan evasion loader rat redline stealer vidar autoit kelihos unwanted netsupport
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Malware family:
Socelars
Verdict:
Malicious
Result
Threat name:
RedLine Socelars Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Heracles
Status:
Malicious
First seen:
2021-09-10 21:05:07 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Similar samples:
+ 528 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab123 aspackv2 backdoor discovery infostealer stealer trojan
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
45.14.49.169:22411
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.14.49.169:22411
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e43033b6fa23e5af38190de45cfa6c8786109524f86b0128353042b125ec3dfa
MD5 hash:
e98faf6a7d0a0e53c715790d63f7c3d8
SHA1 hash:
f47383d98364a5736553fdbd3cb7ac971af5bc23
SH256 hash:
734b90bb58a0bae998cd68717eb7990b27aed3d8cb88a3302a09d3392d1382ee
MD5 hash:
008fff264eee5b6e1c25d9c92fcd00c5
SHA1 hash:
00e6cf44b2db81604948d20e5da45add6a158a8a
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
SH256 hash:
cd9319e82da449ad6a2ad47b283a904703476a0c98dd1f379018c8c935f6e427
MD5 hash:
043724eb36868c3eed2e7e4cb5d68919
SHA1 hash:
d650e246ba4d2c6901cc7298708981c3972d2085
SH256 hash:
e6bcbd6dc07646a453228d448ea64f3cc69ef5258f17801be2173c2e8e557246
MD5 hash:
6d979dd767cb9adf69df323885a01053
SHA1 hash:
ab22447576f6dc2f349934e951552b1408e9de46
SH256 hash:
30d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
MD5 hash:
f43d41f88c343d2d97c010ec7269320d
SHA1 hash:
93d2e9e30cc7db5615bb113293ce2b24b848368a
SH256 hash:
bfbfc69a4e86c3b1a0d8ed76cabe1bd14405611912bc88d16ad049c4bf4cdd89
MD5 hash:
471989d380a88259308c06c0e0930b2a
SHA1 hash:
8da02115ecc85bd09565fa9947f12d939a14a8d8
SH256 hash:
b00f048eaa12a2774bd79082117814b0ef8ca2b379f142a3e89cd2dfd3ad8ab2
MD5 hash:
f7737d0e205e8ad3dd1ecc43625128e3
SHA1 hash:
8b4caf7d157b122235dbcdb051a53053349c4c69
SH256 hash:
8d224521b76e7b7252a7d7881746c1d564b088de74426e1a82a210727d21c7a6
MD5 hash:
66e030e6ed79da60282393e00d0e948f
SHA1 hash:
526f598296433846fd5abe0af41d576b3d386516
SH256 hash:
a1cf1cbaaf903767071d5b179fa3e07b78bf005ea418fe0bccf49b3283ce8cd4
MD5 hash:
d6b975280ae83310bf91885a39a8fd0a
SHA1 hash:
45faef47349eddfd07bfbe0421c9cf2d5e097e2f
SH256 hash:
8065efb208e6de679aeef9c9c5224aae59c3c43bc7ffc269b7af520652d28c1d
MD5 hash:
1ca4ad8777ead31b863858d19ba4f941
SHA1 hash:
440e7e66c04371d96bee046a1eb9c2c8fe8a7859
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586
MD5 hash:
4c3423a6e5e3337c71c551358f1334c1
SHA1 hash:
e3f59c4781ab6b19adb9eb85054a060b34c3df73
SH256 hash:
be466c036bbcec6936d2b2f51d530c89b592c6624fb839914d98ee9c935671b7
MD5 hash:
86bfea0cf31c782163dce5387419a19b
SHA1 hash:
d24a2e9fd57014cc5bb0b4089012847807dd6016
SH256 hash:
c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149
MD5 hash:
a91a81780273bb279790c1fbb6fb3105
SHA1 hash:
4bedae163300009aac8afa2c2b42ea6c184ca9dd
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
SH256 hash:
0e41ba4102242f164829361b7ea3d642148d82a97335565233741a6358092008
MD5 hash:
bb93a1681b07906a6ceb245edf76fad1
SHA1 hash:
4dae7f97c689a2db2cf5538b91fffd4862b9e422
SH256 hash:
3b14abd4c440730da66a96c29b88c90cbdcf91a5c2d4df9b2a8e6d7c0d28af29
MD5 hash:
7fb0fd36d1182f9deb96178aa5299aa7
SHA1 hash:
bef2c6e5dac3705b5ebfe5757657e5b286d91c41
SH256 hash:
4c0946fdaaa509a6c8b81d0a833ad37ab5551e2d2ba0eda9893bf9f261a9dbd7
MD5 hash:
d22c41a3e77d2208503aa839fe9e27a5
SHA1 hash:
b5a7fbe1229485125b0b15f64be122a6d66024ad
Detections:
win_socelars_auto
SH256 hash:
b9eb487351e7768e2b64b1c4f811a6001dff02d5bec0ad3d721779794e84ee23
MD5 hash:
55c608a35a210dea50a1f4d94f8a061e
SHA1 hash:
4e7ca472ba5c4343c20d67a3b0b46258346771ca
SH256 hash:
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
MD5 hash:
65eed0fdbee8b81c1b9118f86700c6fd
SHA1 hash:
fcca1e88a99e2f20403e963b798e3f68f58d638d
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.