MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 419a1f179dd3ef189bd773a8d4ca91af98d21df49baa795804487cc59563a2e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 419a1f179dd3ef189bd773a8d4ca91af98d21df49baa795804487cc59563a2e5
SHA3-384 hash: 22e138a065b7853e5ab5c759d90523e30f2947a042794c3430f3f93d6b428b9fa2d791bc0feea7ee9b411a53ec32be9a
SHA1 hash: 6e63272c1f89ae87ace7952ff71a6238cbf482e3
MD5 hash: d5019b7e62758b392856c908855d6183
humanhash: jig-quiet-princess-fillet
File name:Software update v2.0.0.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'105'792 bytes
First seen:2021-10-02 07:24:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:0BcegYNcq6f4lm5gXrCFKSs6YqQwAAAbtIsfCQXaiMMTT9o6rmv7Abv9Dtk3eatb:0CenezgUKj6IwApbaQXa1MXnrmzAb1xQ
Threatray 267 similar samples on MalwareBazaar
TLSH T199E5333957667CAFE316523BDDE3204B4492A348F02AA3D302743E7EC9037A67E654C9
Reporter Anonymous
Tags:CoinMiner exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Software update v2.0.0.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 07:27:45 UTC
Tags:
loader evasion
Link:
https://app.any.run/tasks/79a8084e-d4fd-4cbb-9365-3876257aed3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194152/
Detection(s):
SecuriteInfo.com.Trojan.Heur.TP.9I0@bmUDJwfi.12783.28614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33876af9-0b97-4676-b419-578cb72b369a
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863106
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495532 Sample: Software update v2.0.0.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 100 88 138.124.186.121, 45760, 49752 NOKIA-ASFI Norway 2->88 90 49.12.130.173, 49753, 80 HETZNER-ASDE Germany 2->90 92 6 other IPs or domains 2->92 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Sigma detected: Xmrig 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 21 other signatures 2->110 11 Software update v2.0.0.exe 15 7 2->11         started        16 services32.exe 2->16         started        18 svchost.exe 1 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 96 82.146.43.167, 49742, 80 THEFIRST-ASRU Russian Federation 11->96 98 iplogger.org 88.99.66.31, 443, 49743 HETZNER-ASDE Germany 11->98 80 C:\Users\user\AppData\Local\...\Server32.exe, PE32+ 11->80 dropped 82 C:\Users\user\AppData\...\Datafile64.exe, PE32+ 11->82 dropped 84 C:\Users\user\AppData\...\Datafile32.exe, PE32+ 11->84 dropped 86 C:\Users\...\Software update v2.0.0.exe.log, ASCII 11->86 dropped 142 Query firmware table information (likely to detect VMs) 11->142 144 Hides threads from debuggers 11->144 146 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->146 22 Datafile32.exe 5 11->22         started        25 Datafile64.exe 5 11->25         started        29 Server32.exe 11->29         started        148 Adds a directory exclusion to Windows Defender 16->148 150 System process connects to network (likely due to code injection or exploit) 18->150 file6 signatures7 process8 dnsIp9 112 Antivirus detection for dropped file 22->112 114 Detected unpacking (changes PE section rights) 22->114 116 Query firmware table information (likely to detect VMs) 22->116 31 cmd.exe 22->31         started        33 cmd.exe 1 22->33         started        94 192.168.2.1 unknown unknown 25->94 72 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 25->72 dropped 118 Adds a directory exclusion to Windows Defender 25->118 120 Hides threads from debuggers 25->120 122 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->122 36 cmd.exe 25->36         started        38 cmd.exe 25->38         started        74 C:\ProgramData\build.exe, PE32 29->74 dropped 76 C:\ProgramData\BuildETH.exe, PE32+ 29->76 dropped 124 Multi AV Scanner detection for dropped file 29->124 126 Machine Learning detection for dropped file 29->126 file10 signatures11 process12 signatures13 40 svchost32.exe 31->40         started        44 conhost.exe 31->44         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 33->100 102 Adds a directory exclusion to Windows Defender 33->102 46 powershell.exe 23 33->46         started        48 conhost.exe 33->48         started        50 svchost64.exe 36->50         started        52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        56 powershell.exe 38->56         started        process14 file15 68 C:\Windows\System32\services32.exe, PE32+ 40->68 dropped 128 Machine Learning detection for dropped file 40->128 130 Drops executables to the windows directory (C:\Windows) and starts them 40->130 58 services32.exe 40->58         started        62 cmd.exe 40->62         started        70 C:\Windows\System32\services64.exe, PE32+ 50->70 dropped 132 Multi AV Scanner detection for dropped file 50->132 signatures16 process17 file18 78 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 58->78 dropped 134 Antivirus detection for dropped file 58->134 136 Detected unpacking (changes PE section rights) 58->136 138 Query firmware table information (likely to detect VMs) 58->138 140 4 other signatures 58->140 64 conhost.exe 62->64         started        66 schtasks.exe 62->66         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/419a1f179dd3ef189bd773a8d4ca91af98d21df49baa795804487cc59563a2e5/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 07:25:35 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
CoinMiner
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
CoinMiner
338624127da652feafe2bb0f900026b970815cd68001921dd62f0877acdb2058
CoinMiner
b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9
CoinMiner
b93bc07850c2c22986d7b4408131bd34d0fea6f1867933732ae13624fee5fd76
CoinMiner
bcc7c88a78159d256da9838d8148b61bf92057b71eabf3bed83ed650d723562c
CoinMiner
df47c9d6c0bcd204919cfd8d495a22ff35f8506cd328410393a724f3548ff828
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a
CoinMiner
+ 257 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:@faqu_1 discovery evasion infostealer miner spyware stealer themida trojan
Link:
https://tria.ge/reports/211002-h8zxlaeafq/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
138.124.186.121:45760
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/549fde2d-25fe-4cad-b246-ef1a8a19abf0/
SH256 hash:
419a1f179dd3ef189bd773a8d4ca91af98d21df49baa795804487cc59563a2e5
MD5 hash:
d5019b7e62758b392856c908855d6183
SHA1 hash:
6e63272c1f89ae87ace7952ff71a6238cbf482e3
Link:
https://www.unpac.me/results/549fde2d-25fe-4cad-b246-ef1a8a19abf0/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/419a1f179dd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/419a1f179dd3ef189bd773a8d4ca91af98d21df49baa795804487cc59563a2e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194152/

Comments