MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3
SHA3-384 hash: 73996e47c5c8c71dea002e4a8e2a8219f7440b97675f04e529e46941a7000e6a83430ddc8ee217d7534f2d64ccb48da1
SHA1 hash: 073ff34df1c5aaa62c2e3066e67cf05469788f09
MD5 hash: 05cdfd712f5e27594b9a21a279375410
humanhash: table-stairway-texas-kilo
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'084'216 bytes
First seen:2023-11-28 17:09:31 UTC
Last seen:2023-11-29 10:00:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:3/RCihRpUHZ5hpFeC9qN4eTWMWCRH3Zmo3ye9:PRCi1k5hpAN6eTWMxJB
Threatray 16 similar samples on MalwareBazaar
TLSH T165A59D8C66B7B395D681E2B580E06DFE0ABE212AFD3D55C8E1D83E874435F8091D0F5A
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:installrox inc
Issuer:installrox inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-28T16:43:27Z
Valid to:2024-11-28T16:43:27Z
Serial number: 685d34635572cb5c128aecd407056505
Thumbprint Algorithm:SHA256
Thumbprint: 619c51532ded89f9ed9f84269b224e404d08378e9ee6055220fb6b6aa0287582
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
376
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461007/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.29687.1552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Searching for the window
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Moving a recently created file
Launching the process to interact with network services
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Launching a tool to kill processes
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65661eebfb43e835e6b850b3/reports/20b7d87f-5d55-4a83-a272-70767dfa5276/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ebca0e4-094d-433c-be82-3c522e5ef422
Result
Threat name:
Glupteba, Socks5Systemz, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349453
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
DLL side loading technique detected
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1349453 Sample: file.exe Startdate: 28/11/2023 Architecture: WINDOWS Score: 100 174 Malicious sample detected (through community Yara rule) 2->174 176 Antivirus detection for URL or domain 2->176 178 Antivirus detection for dropped file 2->178 180 16 other signatures 2->180 10 file.exe 2 4 2->10         started        13 apphost.exe 2->13         started        16 TrustedInstaller.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 190 Writes to foreign memory regions 10->190 192 Adds extensions / path to Windows Defender exclusion list (Registry) 10->192 194 Adds a directory exclusion to Windows Defender 10->194 200 2 other signatures 10->200 20 CasPol.exe 15 32 10->20         started        25 powershell.exe 22 10->25         started        27 conhost.exe 10->27         started        158 74.201.73.52 DEDICATEDUS United States 13->158 160 1.1.1.1 CLOUDFLARENETUS Australia 13->160 162 147.182.137.203 BV-PUBLIC-ASNUS United States 13->162 196 Multi AV Scanner detection for dropped file 13->196 198 DLL side loading technique detected 16->198 164 23.48.10.90 AKAMAI-ASN1EU United States 18->164 166 127.0.0.1 unknown unknown 18->166 29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 sc.exe 18->33         started        35 5 other processes 18->35 signatures5 process6 dnsIp7 140 91.92.241.91 THEZONEBG Bulgaria 20->140 142 107.167.110.211 OPERASOFTWAREUS United States 20->142 144 8 other IPs or domains 20->144 110 C:\Users\...\elDWF8RZeLLLksnNDLweFYZJ.exe, PE32 20->110 dropped 112 C:\Users\...\bs3XQiHXcyFnYsvZw8iHWDAW.exe, PE32 20->112 dropped 114 C:\Users\...\a18P0yhZKiBW0PCtsFFrwunZ.exe, PE32 20->114 dropped 116 20 other malicious files 20->116 dropped 182 Drops script or batch files to the startup folder 20->182 184 Creates HTML files with .exe extension (expired dropper behavior) 20->184 37 GQ1zG0dw7B6j1XjL0pbY3L6k.exe 20->37         started        41 PSSG5tl2FJYvOlrN3fxqbkEy.exe 20->41         started        43 a18P0yhZKiBW0PCtsFFrwunZ.exe 20->43         started        48 4 other processes 20->48 46 conhost.exe 25->46         started        file8 signatures9 process10 dnsIp11 146 107.167.110.216 OPERASOFTWAREUS United States 37->146 148 107.167.110.217 OPERASOFTWAREUS United States 37->148 156 6 other IPs or domains 37->156 118 Opera_installer_2311281728456077456.dll, PE32 37->118 dropped 120 C:\Users\user\AppData\Local\...\opera_package, PE32 37->120 dropped 122 C:\Users\user\...\additional_file0.tmp, PE32 37->122 dropped 132 3 other malicious files 37->132 dropped 50 GQ1zG0dw7B6j1XjL0pbY3L6k.exe 37->50         started        53 Assistant_103.0.4928.25_Setup.exe_sfx.exe 37->53         started        55 GQ1zG0dw7B6j1XjL0pbY3L6k.exe 37->55         started        68 2 other processes 37->68 124 C:\Users\...\PSSG5tl2FJYvOlrN3fxqbkEy.tmp, PE32 41->124 dropped 57 PSSG5tl2FJYvOlrN3fxqbkEy.tmp 41->57         started        150 149.154.167.99 TELEGRAMRU United Kingdom 43->150 152 94.130.188.133 HETZNER-ASDE Germany 43->152 154 72.21.81.240 EDGECASTUS United States 43->154 126 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 43->126 dropped 202 Detected unpacking (changes PE section rights) 43->202 204 Detected unpacking (overwrites its own PE header) 43->204 206 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->206 208 Tries to harvest and steal browser information (history, passwords, etc) 43->208 128 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 48->128 dropped 130 C:\Users\user\AppData\Local\...\apphost.exe, PE32 48->130 dropped 134 2 other malicious files 48->134 dropped 210 Creates an undocumented autostart registry key 48->210 212 Found Tor onion address 48->212 214 Modifies the hosts file 48->214 216 Adds a directory exclusion to Windows Defender 48->216 60 taskkill.exe 1 48->60         started        62 powershell.exe 48->62         started        64 Broom.exe 48->64         started        66 bs3XQiHXcyFnYsvZw8iHWDAW.exe 48->66         started        file12 signatures13 process14 file15 92 Opera_installer_2311281728495527776.dll, PE32 50->92 dropped 104 21 other malicious files 50->104 dropped 70 GQ1zG0dw7B6j1XjL0pbY3L6k.exe 50->70         started        106 6 other malicious files 53->106 dropped 94 Opera_installer_2311281728470617564.dll, PE32 55->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->96 dropped 98 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 57->98 dropped 100 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 57->100 dropped 108 13 other files (12 malicious) 57->108 dropped 186 Uses schtasks.exe or at.exe to add and modify task schedules 57->186 73 mpeg4bind.exe 57->73         started        75 net.exe 57->75         started        77 schtasks.exe 57->77         started        79 mpeg4bind.exe 57->79         started        188 DLL side loading technique detected 60->188 82 conhost.exe 62->82         started        102 Opera_installer_2311281728480127716.dll, PE32 68->102 dropped 84 assistant_installer.exe 68->84         started        signatures16 process17 dnsIp18 136 Opera_installer_2311281728498817852.dll, PE32 70->136 dropped 138 C:\ProgramData\TLGAdapter\TLGAdapter.exe, PE32 73->138 dropped 86 conhost.exe 75->86         started        88 net1.exe 75->88         started        90 conhost.exe 77->90         started        168 69.30.233.162 WIIUS United States 79->168 170 95.216.227.177 HETZNER-ASDE Germany 79->170 172 194.49.94.194 EQUEST-ASNL unknown 79->172 file19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 17:10:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2ofsyporivaymcttz47txp3rbypksensvyvml5r3egiiqg77xzq._file
Verdict:
malicious
Similar samples:
217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
CoinMiner
978708f8b2ce3fda82c9376420dc023396ee686d43962675dda5f18b3b749753
CoinMiner
9967dbf940ce71c3aff8f0b62c7ef9324dd30e6ae4bbb2db4b16c0a184e383f7
CoinMiner
a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
CoinMiner
d81e8511ca6925abf689f2f0e7c7ec5b1f14338a66b3329fa38e5a6d7b594392
CoinMiner
e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
CoinMiner
+ 6 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:xmrig discovery dropper evasion loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231128-vpn27sbg44/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Adds policy Run key to start application
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Glupteba
Glupteba payload
Modifies WinLogon for persistence
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
661e1c7be7c6d0ac3534ad99e09816fbf62614d21867bd7a421bb82a51ffb615
MD5 hash:
13fca746c740347971715ffe7b5c8e73
SHA1 hash:
4f7b4b5231a20f21f2e96b50e4d1e887b814e00b
Link:
https://www.unpac.me/results/71923900-399e-47fa-a8a8-7659b5bf6d90/
SH256 hash:
3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3
MD5 hash:
05cdfd712f5e27594b9a21a279375410
SHA1 hash:
073ff34df1c5aaa62c2e3066e67cf05469788f09
Link:
https://www.unpac.me/results/71923900-399e-47fa-a8a8-7659b5bf6d90/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e9c5961ee8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/461007/
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/

Comments