MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee
SHA3-384 hash: 3df9c7243e1de504fd9e6b9ad3453b35a00ec62c41eaeb85cc347618f63765f4dc483e07c329d4ea7cd7649d6bc2ca5d
SHA1 hash: 10c9e2d460b8b24e1ac11534e30ba5756c1b74d5
MD5 hash: 5d4bd9b22c1038aca45f387c4a0161e5
humanhash: early-music-uncle-hamper
File name:15192378.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:948'224 bytes
First seen:2022-03-18 05:06:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 24576:VYVRZ71IAfSR5U8NjGykEaHNYK3vcd5lgiQ:VYR7196RP3Na1S3gD
Threatray 1'736 similar samples on MalwareBazaar
TLSH T14A1533A76304DDE8C28A1EF89321070BB6A717D8FA9470B656777642921D0DAF17C2F2
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252249/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Crypterx-9940707-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62341379b94fb38cb49fbc77/reports/473725e9-6eaa-4160-a7de-d17f17ad8355/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b3bcde9-8708-46a3-a0d6-f8277f90d913
Result
Threat name:
RedLine TON Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959244
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: File Created with System Process Name
Sigma detected: Notepad Making Network Connection
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Crypto Mining Indicators
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected TON Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 591721 Sample: 15192378.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 69 prda.aadg.msidentity.com 2->69 71 easyproducts.org 2->71 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 101 14 other signatures 2->101 11 15192378.exe 1 2->11         started        14 RegHost.exe 1 2->14         started        signatures3 process4 signatures5 103 Writes to foreign memory regions 11->103 105 Allocates memory in foreign processes 11->105 107 Injects a PE file into a foreign processes 11->107 16 AppLaunch.exe 15 7 11->16         started        21 conhost.exe 11->21         started        109 Multi AV Scanner detection for dropped file 14->109 111 Tries to detect virtualization through RDTSC time measurements 14->111 23 conhost.exe 14->23         started        25 bfsvc.exe 14->25         started        process6 dnsIp7 67 194.87.218.50, 3431, 49780, 49781 AS-REGRU Russian Federation 16->67 63 C:\Users\user\Desktop\rundll32.exe, PE32+ 16->63 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->89 91 Tries to harvest and steal browser information (history, passwords, etc) 16->91 93 Tries to steal Crypto Currency Wallets 16->93 27 rundll32.exe 1 2 16->27         started        file8 signatures9 process10 file11 65 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 27->65 dropped 113 Multi AV Scanner detection for dropped file 27->113 115 Hijacks the control flow in another process 27->115 117 Injects code into the Windows Explorer (explorer.exe) 27->117 119 5 other signatures 27->119 31 notepad.exe 1 27->31         started        35 explorer.exe 2 27->35         started        37 bfsvc.exe 1 27->37         started        39 conhost.exe 27->39         started        signatures12 process13 dnsIp14 73 104.140.244.186, 49790, 5555 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 31->73 75 pool.supportxmr.com 31->75 77 pool-nyc.supportxmr.com 31->77 79 System process connects to network (likely due to code injection or exploit) 31->79 81 Query firmware table information (likely to detect VMs) 31->81 83 Blacklisted process start detected (Windows program) 31->83 41 conhost.exe 31->41         started        43 curl.exe 1 35->43         started        45 curl.exe 1 35->45         started        47 curl.exe 1 35->47         started        51 4 other processes 35->51 49 conhost.exe 37->49         started        signatures15 85 Detected Stratum mining protocol 73->85 process16 process17 53 conhost.exe 43->53         started        55 conhost.exe 45->55         started        57 conhost.exe 47->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-18 05:07:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 27 (81.48%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqnz2w2fio4dcvcqlmsvxafyr6loq2e7gl3cpdyh6docenqnqtxa._file
Verdict:
malicious
Similar samples:
1430de888f5ef501e60e80398b0309a05f453a8b2e8c9b24fdaa5e722d2f8242
CoinMiner
206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403
CoinMiner
24dddac175ec0ecbe3a13040165f0438fca44502c216c96655cdff8f4bc0ddcb
CoinMiner
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
CoinMiner
c04dfc2917dffe8977dd0e59c0750b6a088960b0c1302ee825e56b8f175ff33c
CoinMiner
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
CoinMiner
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
CoinMiner
e8d6083106514e1fa3a1687de25e4ac31b1f1af0d4cf35bf0c11d7f5bea377b5
CoinMiner
+ 1'726 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220318-frz5xsgcfk/
Behaviour
Program crash
Unpacked files
SH256 hash:
24c9207cd4b065a059b05e95a27ff9edf9f9c1033bdd48fcfdb19348bffd59b4
MD5 hash:
18813097a868c29099aab5d5d5818981
SHA1 hash:
0abc02ce576f0920170d7408eb0705c69fda9f89
Link:
https://www.unpac.me/results/025966f8-3e46-46e2-8345-253a37754e2a/
SH256 hash:
4faec71c0c576e12df88a9590bc46d98631e54d911a45b16b4a89877bae6e385
MD5 hash:
6544c609b1ab32c5d8a2fe67ace6f3e2
SHA1 hash:
4eee15a4a0002fdb4d74e1b10b5d168f31425cf4
Link:
https://www.unpac.me/results/025966f8-3e46-46e2-8345-253a37754e2a/
SH256 hash:
641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee
MD5 hash:
5d4bd9b22c1038aca45f387c4a0161e5
SHA1 hash:
10c9e2d460b8b24e1ac11534e30ba5756c1b74d5
Link:
https://www.unpac.me/results/025966f8-3e46-46e2-8345-253a37754e2a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/641b9d5b4543/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252249/

Comments