MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
SHA3-384 hash: 41c394511ef46320aec2e5fee507d54b9dd35f1e130d22408a96ab12aaeb0e336a8f7561f3a9b38863b481ba8d738fda
SHA1 hash: bf27df9984f07c663b3d2ba7948f1387e84bbfb2
MD5 hash: 838a91d84bfde7f6c7ac5b285b80cd83
humanhash: washington-item-mexico-sad
File name:Loader.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:994'816 bytes
First seen:2021-10-12 21:07:11 UTC
Last seen:2021-10-12 21:47:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:BjgSKclWABuTMKHQ86ArcobNYeWjprQv1/kcFbW4eLKuXK3TIODJ5wd3pDyuWOdi:jKqBSzhTq8OWuoN
Threatray 84 similar samples on MalwareBazaar
TLSH T1A825F12434FB6019A173FFA25BD8B8AADF9FF772170B242E219053478B92D41DE82535
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-10-12 21:06:31 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6ea788d7-7427-4df6-8403-fea5666dba2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197035/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.21339.6372.15158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6165f936fd35fe780c3b84c2/reports/a7104f2c-92eb-410a-b292-e949b348d554/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8379284f-511f-44b5-9145-9b27aa6cd37f
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869060
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501484 Sample: Loader.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 177 Sigma detected: Xmrig 2->177 179 Malicious sample detected (through community Yara rule) 2->179 181 Sigma detected: Powershell download and execute file 2->181 183 9 other signatures 2->183 14 Loader.exe 15 8 2->14         started        19 shrome.exe 2->19         started        21 services64.exe 2->21         started        23 5 other processes 2->23 process3 dnsIp4 151 cx55566.tmweb.ru 92.53.96.4, 49790, 49822, 49844 TIMEWEB-ASRU Russian Federation 14->151 153 ke.ckauni.ru 81.177.141.85, 443, 49759 RTCOMM-ASRU Russian Federation 14->153 155 141.94.188.138, 46419, 49756 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 14->155 137 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 14->137 dropped 139 C:\Users\user\AppData\...\Loader.exe.log, ASCII 14->139 dropped 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->163 165 Tries to harvest and steal browser information (history, passwords, etc) 14->165 167 Tries to steal Crypto Currency Wallets 14->167 25 fl.exe 14->25         started        28 conhost.exe 14->28         started        169 Multi AV Scanner detection for dropped file 19->169 171 Writes to foreign memory regions 19->171 173 Allocates memory in foreign processes 19->173 30 conhost.exe 19->30         started        175 Creates a thread in another existing process (thread injection) 21->175 32 conhost.exe 21->32         started        157 127.0.0.1 unknown unknown 23->157 159 192.168.2.1 unknown unknown 23->159 file5 signatures6 process7 signatures8 223 Multi AV Scanner detection for dropped file 25->223 225 Adds a directory exclusion to Windows Defender 25->225 34 cmd.exe 1 25->34         started        37 cmd.exe 30->37         started        39 cmd.exe 30->39         started        41 sihost32.exe 30->41         started        43 cmd.exe 32->43         started        process9 signatures10 185 Suspicious powershell command line found 34->185 187 Tries to download and execute files (via powershell) 34->187 189 Adds a directory exclusion to Windows Defender 34->189 45 powershell.exe 34->45         started        47 powershell.exe 34->47         started        49 powershell.exe 34->49         started        63 4 other processes 34->63 53 conhost.exe 37->53         started        55 powershell.exe 37->55         started        57 conhost.exe 39->57         started        59 taskkill.exe 39->59         started        61 conhost.exe 41->61         started        process11 dnsIp12 66 gfhfg.exe 45->66         started        69 Fsdgde.exe 47->69         started        141 cx55566.tmweb.ru 49->141 123 C:\Users\user\AppData\Local\Temp\Fsdgde.exe, PE32+ 49->123 dropped 71 sihost64.exe 49->71         started        73 cmd.exe 49->73         started        143 cx55566.tmweb.ru 63->143 125 C:\Users\user\AppData\Local\Temp\gfhfg.exe, PE32+ 63->125 dropped 229 Powershell drops PE file 63->229 file13 signatures14 process15 dnsIp16 191 Multi AV Scanner detection for dropped file 66->191 193 Writes to foreign memory regions 66->193 195 Allocates memory in foreign processes 66->195 76 conhost.exe 66->76         started        197 Creates a thread in another existing process (thread injection) 69->197 80 conhost.exe 69->80         started        82 conhost.exe 71->82         started        145 104.140.244.186, 49857, 5555 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 73->145 147 pool.supportxmr.com 73->147 149 pool-nyc.supportxmr.com 73->149 199 Query firmware table information (likely to detect VMs) 73->199 signatures17 201 Detected Stratum mining protocol 145->201 process18 file19 133 C:\Windows\System32\shrome.exe, PE32+ 76->133 dropped 227 Adds a directory exclusion to Windows Defender 76->227 84 cmd.exe 76->84         started        87 cmd.exe 76->87         started        89 cmd.exe 76->89         started        135 C:\Windows\System32\services64.exe, PE32+ 80->135 dropped 91 cmd.exe 80->91         started        93 cmd.exe 80->93         started        signatures20 process21 signatures22 215 Drops executables to the windows directory (C:\Windows) and starts them 84->215 95 shrome.exe 84->95         started        98 conhost.exe 84->98         started        217 Uses schtasks.exe or at.exe to add and modify task schedules 87->217 219 Adds a directory exclusion to Windows Defender 87->219 100 conhost.exe 87->100         started        102 powershell.exe 87->102         started        104 powershell.exe 87->104         started        110 2 other processes 89->110 106 services64.exe 91->106         started        108 conhost.exe 91->108         started        112 2 other processes 93->112 process23 signatures24 231 Writes to foreign memory regions 95->231 233 Allocates memory in foreign processes 95->233 235 Creates a thread in another existing process (thread injection) 95->235 114 conhost.exe 95->114         started        118 conhost.exe 106->118         started        process25 file26 127 C:\Windows\System32\...\sihost32.exe, PE32+ 114->127 dropped 203 Drops executables to the windows directory (C:\Windows) and starts them 114->203 205 Adds a directory exclusion to Windows Defender 114->205 120 cmd.exe 114->120         started        129 C:\Windows\System32\...\sihost64.exe, PE32+ 118->129 dropped 131 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 118->131 dropped 207 Writes to foreign memory regions 118->207 209 Modifies the context of a thread in another process (thread injection) 118->209 211 Sample is not signed and drops a device driver 118->211 213 Injects a PE file into a foreign processes 118->213 signatures27 process28 signatures29 221 Adds a directory exclusion to Windows Defender 120->221
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-12 21:10:35 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5lfbgd4taimjtczurtwkccec6obgso626zpudy3adw3x5simewa._file
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
CoinMiner
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b
CoinMiner
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
CoinMiner
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
CoinMiner
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
CoinMiner
833ab773ed2c4e4cd2581d1e42bc5471f0621786007a8846aaf6cdfeccb198c2
CoinMiner
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
c178858bc5b0763eaadbffe1d432de85a73c6f8ba4b7ce7f7bc98dc119532297
CoinMiner
de74006a23319ed5aa596ee8e047df2a6823fecdb9e0f4a5298418e665b56564
CoinMiner
+ 74 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery infostealer miner spyware stealer
Link:
https://tria.ge/reports/211012-zyw7dsdcc4/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
141.94.188.138:46419
Dropper Extraction:
http://cx55566.tmweb.ru/farm_money.exe
http://cx55566.tmweb.ru/monero-bandit.exe
Unpacked files
SH256 hash:
87259b213c07e14f8207e5963cbb97196355c285e1acd1fa59b93beef26c694a
MD5 hash:
f0676a84c989e2cb423f836e0e5b3597
SHA1 hash:
886b17858d955e0c3208f05a63d06df33de8625f
Link:
https://www.unpac.me/results/ca235c09-d6e1-4a7e-b11b-5b7050c82965/
SH256 hash:
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
MD5 hash:
838a91d84bfde7f6c7ac5b285b80cd83
SHA1 hash:
bf27df9984f07c663b3d2ba7948f1387e84bbfb2
Link:
https://www.unpac.me/results/ca235c09-d6e1-4a7e-b11b-5b7050c82965/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197035/

Comments