MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
SHA3-384 hash: 8feac7e84bed0078ef4c4c4764b25c646c6a5397acd6b2ebe7204840108ba6eaa3a7b9072c1025ba1930d13006076095
SHA1 hash: 62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
MD5 hash: 117e4e3f1b6edae6745f82cf072008f1
humanhash: fruit-tennis-asparagus-happy
File name:117E4E3F1B6EDAE6745F82CF072008F1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'081'282 bytes
First seen:2021-05-06 20:46:42 UTC
Last seen:2021-05-06 21:01:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:o1qUujZ3P+kMUTeGfspVGx2HMv87d6Iosk/8K/rEkfI1glO:o1qUu932k5TVsHGxcl7zhMoNz
Threatray 152 similar samples on MalwareBazaar
TLSH 5D3523203AD380FBCAB23AB06D11734A65FBFA350F0A8AD35B50150B5E585C59BFD6D2
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
45.128.150.47:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.128.150.47:80 https://threatfox.abuse.ch/ioc/30618/

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.thecrackbox.com/save-wizard-ps4-free-download/
Verdict:
Malicious activity
Analysis date:
2021-05-04 05:50:33 UTC
Tags:
autoit trojan rat redline phishing opendir
Link:
https://app.any.run/tasks/5d6d320c-d9b2-42b6-b727-08b6fa1750ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151939/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/714826
Signature
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406344 Sample: bsvL2B6U0P.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 64 36 Multi AV Scanner detection for submitted file 2->36 9 bsvL2B6U0P.exe 7 2->9         started        process3 signatures4 38 Contains functionality to register a low level keyboard hook 9->38 12 cmd.exe 1 9->12         started        process5 signatures6 40 Submitted sample is a known malware sample 12->40 42 Obfuscated command line found 12->42 44 Uses ping.exe to sleep 12->44 46 Uses ping.exe to check the status of other devices and networks 12->46 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 48 Obfuscated command line found 15->48 50 Uses ping.exe to sleep 15->50 20 PING.EXE 1 15->20         started        23 Sta.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 32 192.168.2.1 unknown unknown 20->32 27 Sta.exe.com 23->27         started        process11 dnsIp12 34 qnrBjIxlRPygUQEBOnj.qnrBjIxlRPygUQEBOnj 27->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 02:12:00 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h46od6i4r5bzuleqh6qikrfqryqxasstyovsmdj2bogt32sckaqa._file
Verdict:
suspicious
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
CoinMiner
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
CoinMiner
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
CoinMiner
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
CoinMiner
6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d
CoinMiner
830c5c98b459bc47ddb319f2262cb248fb9999a6115182b199bb4421f0897051
CoinMiner
83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
CoinMiner
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
CoinMiner
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
CoinMiner
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
CoinMiner
+ 142 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:9874 discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210506-v78x2kt1x6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
nshoreyle.xyz:80
Unpacked files
SH256 hash:
d99145ab93f2f32ed3a553992213cdd23f9cd869e74665e449f55b7b4a461c8f
MD5 hash:
cb4e827ff80fc7cc0ad57315f808df3a
SHA1 hash:
f86a836c9fc6a7b1f4273cb575c5244d955b0fb3
Link:
https://www.unpac.me/results/217e2a0b-ddaa-40ce-8521-451b4ef683c2/
Parent samples :
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
d477322f8d90be3d37d78ab73d97d59e0ae6ca7ac32e2fdefd5668f67cb1fb62
bb932056cae8940742e50b4f2b994a802e703f7bc235e7dd647d085ae2b2baf7
39f3698e7359c0a93122897138c050ecb0b71d71843f68ba8d05a9ed7e7cb67b
d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a
774368536ee17949132b38f6067b9b6aea5362c1f23fb06410b4e8cec4c2ed5c
bb653dddd858f686a07ac236a6098d9da8dcb8524aedc8da2cb5a6f084cbfebc
edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437
59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870
9fa64c90a5f724bb282934ee693fac3b8f82a7a08039d52946904262f8d2ec6a
645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
SH256 hash:
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
MD5 hash:
117e4e3f1b6edae6745f82cf072008f1
SHA1 hash:
62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
Link:
https://www.unpac.me/results/217e2a0b-ddaa-40ce-8521-451b4ef683c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151939/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 21:01:42 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process