MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
SHA3-384 hash: d7cf149b6d02fb92ab40582c09c5d558956a17464872464672fd546e136ab65ce2560b9b1308505ebbcab159e4420336
SHA1 hash: bef32b3046fc3a867a3daaddfcf8d5143448cb25
MD5 hash: 598fdadb315cbfe1317617707bc9b5d9
humanhash: fifteen-robert-london-kentucky
File name:i864x__setup__6229285816bc2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'830'463 bytes
First seen:2022-03-09 23:01:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Je7P616NELrEQD0VUERVAPqSvTTFAk5Zd9kkCrZ++nVGXjw+cg9KbQNei504ioTN:JSP0KELrEQGnuT/JCrZ+fXNJKbQNei57
Threatray 6'513 similar samples on MalwareBazaar
TLSH T1B34633C8A850C7FBF3E91A307C0C8A5934F09D79A8C1BD626F1276CD9FA2261D635719
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Meowcat285
Tags:CoinMiner exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.182.5.22:33809 https://threatfox.abuse.ch/ioc/393366/

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248941/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8832/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys manuscrypt
Link:
https://www.filescan.io/uploads/622931f0dfdfa8501c82d730/reports/04baf68c-7e8a-4944-86d8-5bba2bb83882/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b9701a7-7dcc-49eb-ae61-1781214a840e
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953805
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586282 Sample: i864x__setup__6229285816bc2.exe Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 54 208.95.112.1 TUT-ASUS United States 2->54 56 58.124.228.242 SKB-ASSKBroadbandCoLtdKR Korea Republic of 2->56 58 18 other IPs or domains 2->58 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 Antivirus detection for dropped file 2->68 70 17 other signatures 2->70 10 i864x__setup__6229285816bc2.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->44 dropped 15 setup_installer.exe 20 10->15         started        process6 file7 46 C:\Users\user\AppData\...\setup_install.exe, PE32 15->46 dropped 48 C:\...\6229284f92e64_Wed227591e3d2dd.exe, PE32 15->48 dropped 50 C:\Users\...\6229284d47a0a_Wed22f6908916.exe, PE32 15->50 dropped 52 15 other files (9 malicious) 15->52 dropped 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->62 19 setup_install.exe 1 15->19         started        signatures8 process9 signatures10 72 Adds a directory exclusion to Windows Defender 19->72 22 cmd.exe 1 19->22         started        24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        29 3 other processes 19->29 process11 signatures12 31 62292812d0139_Wed22970ab6d7.exe 1 22->31         started        34 6229281488257_Wed22ad698e0.exe 3 24->34         started        74 Adds a directory exclusion to Windows Defender 26->74 76 Disables Windows Defender (via service or powershell) 26->76 36 powershell.exe 25 26->36         started        38 62292813c52e2_Wed224861dd.exe 14 4 29->38         started        process13 dnsIp14 78 Multi AV Scanner detection for dropped file 31->78 80 Detected unpacking (changes PE section rights) 31->80 82 Disables Windows Defender (via service or powershell) 31->82 84 Antivirus detection for dropped file 34->84 86 Machine Learning detection for dropped file 34->86 88 Sample uses process hollowing technique 34->88 90 Injects a PE file into a foreign processes 34->90 60 188.114.96.7 CLOUDFLARENETUS European Union 38->60 42 864a8126-90f3-4a6f-8e75-a6609bfe865d.exe, PE32 38->42 dropped file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 23:03:32 UTC
File Type:
PE (Exe)
Extracted files:
342
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=il4ur5jn3ualkhfwuew6rkio2mfebxx2ryym4ysgut3pztqqb5eq._file
Verdict:
malicious
Similar samples:
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
CoinMiner
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
CoinMiner
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
CoinMiner
7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
CoinMiner
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
CoinMiner
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
CoinMiner
+ 6'503 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:mdea80555 aspackv2 backdoor discovery infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220309-2z5k9sbha6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
92.255.57.154:11841
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
Unpacked files
SH256 hash:
cd66d8f4c1b15668aa216039ff187ab2595406d8a4d6fcf54632e9d5c1e19157
MD5 hash:
22559ba7d43d3b6c40cb21851ddddfa8
SHA1 hash:
8cd2154c88fdfbdffc813c4a023d9253aee4513d
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
6e642598d2ddfc3e83fd463aacd13a1aafe359fa7e0786256fee0b6c82d6c029
MD5 hash:
507e3eb34f72613b73aa43322cfbce75
SHA1 hash:
bc6174b52b10e79cab4b8280a36d166fe616cb72
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
2655fb04ce11121a57411e5a2a4398e6f732e0fd0db8fba0833fb1336e0206b5
MD5 hash:
44efe0d3d18450be1a65b29a6d86a9f2
SHA1 hash:
f9ba3b2a3b065716cd9f817d5a645ba603f9ad6b
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
7382632010b962fe845138c67406a369d1a00e77b293003a6aa89a206806f892
MD5 hash:
79d12bf220e9ea93125df294ac4a2c47
SHA1 hash:
d0d63a8d43e079f856cce3186f3714ea66cda844
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
f8cdf2abf4715389016ca10ab553ea3c01ce6338b4897a78df47c5789232f2ec
MD5 hash:
9786f19b36ae71e4c44e24beaa6372b3
SHA1 hash:
c79eb9f3e2304614ec4f64d06ec69846626570bb
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
0baa4038bb4ba1912765d303c2f4e3847a0b860ae531fd592e4c955b5a552897
MD5 hash:
a51acfdfd5c8caa97422516965382ecd
SHA1 hash:
c56fef0fcb1fe78226b5daf36e8243624d5156f5
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
2533078278022e0274d3cb9fc83b83e858cf431be6042a36d006322978de328a
MD5 hash:
8fc2a2805cee807b2fa46c7714d4743d
SHA1 hash:
afde129118c3535418be720b55f3f5abe3919611
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
6eb61d1eb41e6da86042b15178ce4d37c829ef856d4a139d97d57976c9bfd917
MD5 hash:
95f4986b1c9772f24af828131c25613b
SHA1 hash:
37e1fd7ee7e1c90fe49b5f16e6b5ace7a52eb0af
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d
MD5 hash:
31ebd93c9fb74de0bf3c9eac412f72fb
SHA1 hash:
b7c4e5e258b4b7a3742c23315c7a204d73bf72d4
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
d0518b0d7f60eff3e8e710636ed4a410b5f8ae86d78562370af0ccb25e024512
MD5 hash:
2c7ceb4253cffa58e40b89b6713b1a4d
SHA1 hash:
3f5523371988babc8e5a9d1228334ff7d67beed7
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
be0d5d6f24340f68bb8a9075c9bbe2e1fbfff54a59f0f9290471610067acf161
MD5 hash:
a8f8946fb732dc5951d04cbe721aaa73
SHA1 hash:
c36e5163560192c55e729377636b1b609fd4bab7
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
5ecf0cc53f4493bd84bb57c17c9c21410e7741ffd0f3e89dd355d9a81c0cdc3d
MD5 hash:
c51fccdc5790768e4eb6a02183dbf5dd
SHA1 hash:
ae0eaa7030d203f2c595cc2bee18e30b57ac6434
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
37394ff1d7cb136eb5303c60c6a263fbc40e153310de0ba525aaf074c8e22ad9
MD5 hash:
feed06ac04589104d291780cb17fbbc9
SHA1 hash:
593ff9382a25ba2b120491716b2e029a57d0f03d
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
b8be73fd849a4173c3e44cd0b90fc4031d86ef0ea1714d49231215508f48c0f9
MD5 hash:
8dce40f161c178f3cfd7f1366fb66295
SHA1 hash:
ffff39a87454c98e5bebae33b9cfc3b72c3cb04e
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
1a84c43f14c7da3d4ce92a9e06163d988b90952e5530a6fd896b2ca3c2908ab8
MD5 hash:
38835878beb157b7c778d8684426e1ac
SHA1 hash:
bfcd5965dc274e58ffab62134e7af1931b554339
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
SH256 hash:
42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
MD5 hash:
598fdadb315cbfe1317617707bc9b5d9
SHA1 hash:
bef32b3046fc3a867a3daaddfcf8d5143448cb25
Link:
https://www.unpac.me/results/70aae9e9-a37f-4ede-8816-fe6984de247d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248941/

Comments