MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
SHA3-384 hash: 0c8a5ac3456ac456ca477e960c22b55958d3eb8719251a03604df17f864218188243a38c1ceb7f3a776657b92b2cefac
SHA1 hash: 2d8996326ba08f941063d3d968223875832164ac
MD5 hash: 5009e04920d5fb95f8a02265f89d25a5
humanhash: emma-aspen-king-finch
File name:3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
Download: download sample
Signature CoinMiner
Create hunting rule
File size:188'928 bytes
First seen:2022-03-24 09:51:40 UTC
Last seen:2022-03-24 11:44:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 3072:PbQEJEc4ySD4EsB2xfbuWo1nhM4vjJw2XsA7mfmvG30bvDhYMOQDUVq:PbtJEc4y9LqSWo1nhM4vjJw2XsA7mfmO
Threatray 2'014 similar samples on MalwareBazaar
TLSH T1140426DD726072DFC857D472DEA81CA8EA6174BB931F4203A02715ADEA4D89BDF140F2
Reporter struppigel
Tags:.NET CoinMiner exe Ginzo MSIL


Avatar
struppigel
Ginzo stealer, Ginzo.pdb

Intelligence

File Origin
# of uploads :
2
# of downloads :
483
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
Verdict:
Malicious activity
Analysis date:
2022-03-25 07:21:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0eb3c43-c15c-443b-b03e-cbccae19a0f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257117/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.47003.14242.7859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Moving a recently created file
Creating a process from a recently created file
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerbu obfuscated packed
Link:
https://www.filescan.io/uploads/623c3f600cd58dbd92e5cac3/reports/1b6e3eb8-8b84-4cc1-81b1-b7ce66adf3ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a7d2e7b-d2dd-437e-9052-25dc1e4d008d
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963670
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596149 Sample: FYdKFJ3iex Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 10 other signatures 2->57 9 FYdKFJ3iex.exe 15 47 2->9         started        process3 dnsIp4 47 freegeoip.app 188.114.97.7, 443, 49780, 49781 CLOUDFLARENETUS European Union 9->47 49 nominally.ru 9->49 37 C:\Users\user\AppData\Local\401206.exe, PE32+ 9->37 dropped 39 C:\Users\user\AppData\Local\315949.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\FYdKFJ3iex.exe.log, ASCII 9->41 dropped 43 6 other files (none is malicious) 9->43 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->61 63 Tries to harvest and steal browser information (history, passwords, etc) 9->63 14 401206.exe 9->14         started        17 315949.exe 1 9->17         started        file5 signatures6 process7 signatures8 65 Antivirus detection for dropped file 14->65 67 Multi AV Scanner detection for dropped file 14->67 69 Writes to foreign memory regions 14->69 71 Creates a thread in another existing process (thread injection) 14->71 19 conhost.exe 2 14->19         started        73 Allocates memory in foreign processes 17->73 75 Injects a PE file into a foreign processes 17->75 21 AppLaunch.exe 2 17->21         started        24 conhost.exe 17->24         started        process9 dnsIp10 26 cmd.exe 1 19->26         started        29 cmd.exe 19->29         started        45 91.243.32.184, 28056 MATTEOGB Russian Federation 21->45 process11 signatures12 59 Encrypted powershell cmdline option found 26->59 31 powershell.exe 23 26->31         started        33 conhost.exe 26->33         started        35 powershell.exe 26->35         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 01:06:14 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1660fa277deb0f1afcd706189ecca08930050458121c2a2f42f2dcdeb1cf9c29
CoinMiner
54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e
CoinMiner
63d5524d7a7e198dde291df94f3c8ad57d82afcc9d0d14ec085d9b7453792e07
CoinMiner
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
CoinMiner
99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd
CoinMiner
9c8314de1486634c7612198f144f80cba26a2f79a65b657b6f17af33491c0998
CoinMiner
b043820fef215c161bb53c9c1fa9a2cd221cecc4bae58103a9327c575697760d
CoinMiner
b840f10ae378fa15f8570f6eb208e2f280618bd49ade560eca00c93b6a4bd7d9
CoinMiner
ee1524e4980cac431ae0f92888ee0cc8a1fa9e7981df0be6abd7efa98adf9a45
CoinMiner
+ 2'004 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
ebdc43c23c82e25277a11af9bf73a9da3f6c4b0bd56d4a409037f42caa6bdf6c
MD5 hash:
6325ef50a988c11a1fedb329bc37a468
SHA1 hash:
8b5113a2b40626e5d59e25a530bcfd7ccd872ad1
Link:
https://www.unpac.me/results/f4f87423-4bf5-499c-832d-86f81d918b54/
SH256 hash:
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
MD5 hash:
5009e04920d5fb95f8a02265f89d25a5
SHA1 hash:
2d8996326ba08f941063d3d968223875832164ac
Link:
https://www.unpac.me/results/f4f87423-4bf5-499c-832d-86f81d918b54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257117/

Comments