MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee
SHA3-384 hash: 2f192a47b7445d88b9851d2f81f426ed5f61207981cb058cb6d72549ff61d1a44f9ca006bb47cfa5b9da941b1b33ae2d
SHA1 hash: dbb8064cd588cdb52fc2be81627352e8d2e5cc04
MD5 hash: 2caef13c8bb68ebeeab9c02f1d674ecc
humanhash: fruit-video-queen-echo
File name:2caef13c8bb68ebeeab9c02f1d674ecc.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:247'808 bytes
First seen:2021-10-06 07:46:44 UTC
Last seen:2021-10-06 09:07:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a4f2810483d7186fd90e5ce794e1a5 (8 x RaccoonStealer, 4 x CoinMiner, 1 x ArkeiStealer)
ssdeep 3072:ahElm8HdD/rjXcgVMI6/f823bthv/PITpaZkIaeh+3j6pESIO81Yl0zl19pwoJpy:ahETVDwgVMp/U2PPUquSn0zl19pDJ8
Threatray 4'812 similar samples on MalwareBazaar
TLSH T1BB349E1135D2CFF1E76316307961C6A0872ABDAD7E72B18B37D5262F1E3C6E18A25306
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://91.219.236.243/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.243/ https://threatfox.abuse.ch/ioc/230868/

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2caef13c8bb68ebeeab9c02f1d674ecc.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-06 07:57:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2cc94c3c-b748-4c2b-9df4-84eeecb429d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195312/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.17942.9893.20189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9dba024-2f24-412a-ba16-c36dcfaa0f98
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865519
Signature
.NET source code contains very large array initializations
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497944 Sample: dBqfgL7GXS.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 93 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49830 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->93 95 defeatwax.ru 193.56.146.188, 443, 49832, 49870 LVLT-10753US unknown 2->95 97 3 other IPs or domains 2->97 135 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->135 137 Multi AV Scanner detection for domain / URL 2->137 139 System process connects to network (likely due to code injection or exploit) 2->139 141 13 other signatures 2->141 11 dBqfgL7GXS.exe 2->11         started        14 vcffuit 2->14         started        16 svchost.exe 2->16         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 159 Detected unpacking (changes PE section rights) 11->159 161 Contains functionality to inject code into remote processes 11->161 163 Injects a PE file into a foreign processes 11->163 21 dBqfgL7GXS.exe 11->21         started        24 vcffuit 14->24         started        91 192.168.2.1 unknown unknown 16->91 signatures6 process7 signatures8 143 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->143 145 Maps a DLL or memory area into another process 21->145 147 Checks if the current machine is a virtual machine (disk enumeration) 21->147 26 explorer.exe 12 21->26 injected 149 Creates a thread in another existing process (thread injection) 24->149 process9 dnsIp10 101 193.56.146.41, 49783, 9080 LVLT-10753US unknown 26->101 103 privacy-toolz-for-you-3000.top 94.142.140.28, 49768, 49769, 49770 IHOR-ASRU Russian Federation 26->103 105 2 other IPs or domains 26->105 81 C:\Users\user\AppData\Roaming\vcffuit, PE32 26->81 dropped 83 C:\Users\user\AppData\Local\Temp\905E.exe, PE32 26->83 dropped 85 C:\Users\user\AppData\Local\Temp\7F95.exe, PE32 26->85 dropped 87 4 other files (3 malicious) 26->87 dropped 165 System process connects to network (likely due to code injection or exploit) 26->165 167 Benign windows process drops PE files 26->167 169 Deletes itself after installation 26->169 171 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->171 31 905E.exe 80 26->31         started        36 56EB.exe 26->36         started        38 7504.exe 2 26->38         started        40 2 other processes 26->40 file11 signatures12 process13 dnsIp14 107 185.163.47.232, 49810, 80 MIVOCLOUDMD Moldova Republic of 31->107 109 teletop.top 104.21.17.146, 49808, 80 CLOUDFLARENETUS United States 31->109 71 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->71 dropped 73 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->73 dropped 75 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->75 dropped 79 56 other files (none is malicious) 31->79 dropped 113 Detected unpacking (changes PE section rights) 31->113 115 Detected unpacking (overwrites its own PE header) 31->115 117 Tries to steal Mail credentials (via file access) 31->117 119 Tries to harvest and steal browser information (history, passwords, etc) 31->119 121 Injects a PE file into a foreign processes 36->121 42 56EB.exe 36->42         started        77 C:\Users\user\AppData\Local\...\tfaxeddr.exe, PE32 38->77 dropped 123 Uses netsh to modify the Windows network and firewall settings 38->123 125 Modifies the windows firewall 38->125 45 cmd.exe 38->45         started        48 cmd.exe 38->48         started        50 sc.exe 38->50         started        59 2 other processes 38->59 111 193.56.146.60, 36906, 49866 LVLT-10753US unknown 40->111 127 Query firmware table information (likely to detect VMs) 40->127 129 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->129 131 Hides threads from debuggers 40->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 40->133 52 5E4F.exe 40->52         started        55 conhost.exe 40->55         started        57 conhost.exe 40->57         started        file15 signatures16 process17 dnsIp18 151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->151 153 Maps a DLL or memory area into another process 42->153 155 Checks if the current machine is a virtual machine (disk enumeration) 42->155 157 Creates a thread in another existing process (thread injection) 42->157 89 C:\Windows\SysWOW64\...\tfaxeddr.exe (copy), PE32 45->89 dropped 61 conhost.exe 45->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        99 93.115.20.139, 28978, 49867 MVPShttpswwwmvpsnetEU Romania 52->99 67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 01:37:02 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6wdaswrbnmyg4kwcepoiksjiehudy2k6qhiyj7p4yv7fznmj3xa._file
Verdict:
malicious
Similar samples:
02aade8f11ebeb13f9072de70ca49a6f83aa1c23b1bafe8978b5681dab12282c
CoinMiner
04a77c819d0028948adb252dee0fec6618bf66c079086b9993267ddb7b1d70a6
CoinMiner
2b1b66d7ab2022d41004937b8ea3d9f375364347b4f51d9d14bddc314296a1c5
CoinMiner
44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480
CoinMiner
938029b6b522bdd22cbba8cfb88a1d97d0fbc264d1d7a5ded22a4924a15e6161
CoinMiner
a1b29584402503925406ceeb5be6a463eea7755f401e3a2c8f82ae3897e3820a
CoinMiner
abcd86df71b0dcd29c9fd43c17efc16763dadecac5e071d588ba6c409e536e56
CoinMiner
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
CoinMiner
f74d7500782ca945d3296cd4fcf19af60b7035ff65d646c64b0c8761e38ea193
CoinMiner
fab15b7f61f816cf3128cc02c96d98d3385533087bc5afe3cd3799e7e034ce7f
CoinMiner
+ 4'802 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor discovery spyware stealer suricata trojan
Link:
https://tria.ge/reports/211006-jmlcrababq/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/fb9d6364-9c8f-4f79-a056-9c96ebcd2a6f/
SH256 hash:
87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee
MD5 hash:
2caef13c8bb68ebeeab9c02f1d674ecc
SHA1 hash:
dbb8064cd588cdb52fc2be81627352e8d2e5cc04
Link:
https://www.unpac.me/results/fb9d6364-9c8f-4f79-a056-9c96ebcd2a6f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/87ac304ad10b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195312/

Comments