MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769
SHA3-384 hash: 580483498ff99496917aefd157eee19bdbb7b9a4fc1fc777213f8fa8cdba732ebb995938ad41bf08620a6d72cb005669
SHA1 hash: 5ea7dcffcda6cdf903fe4de53b753f7db2049e4f
MD5 hash: 743bcc99b15c971e0269cb3376c9ff69
humanhash: juliet-undress-alpha-stream
File name:743bcc99b15c971e0269cb3376c9ff69.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:252'928 bytes
First seen:2021-09-07 13:56:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b96546bb8656e94382ad7dab68551d5e (3 x RaccoonStealer, 1 x CoinMiner, 1 x RedLineStealer)
ssdeep 6144:MNciryKxRySZVHQl6uU8RVKyvKfEOvX6:5irVxASZVfuU8nK38O
Threatray 1'790 similar samples on MalwareBazaar
TLSH T127349D20B6A0C035F5F751F449B983B96939BEB29F2051CFA2D42AEE5A346E0DD30747
dhash icon e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
743bcc99b15c971e0269cb3376c9ff69.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-07 13:57:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/804d2c87-e507-4815-ac36-3273a21019fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186054/
Detection(s):
Win.Packed.Generic-9891245-0
Create hunting rule

Win.Packed.Generic-9891264-0
Create hunting rule

Win.Dropper.Raccoon-9891349-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd5c4be9-f0f2-4a42-9a83-9d0a97d174da
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846668
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Send many emails (e-Mail Spam)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download HTTP data from a sinkholed server
Tries to resolve many domain names, but no domain seems valid
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479095 Sample: DWVByMCYL8.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 97 zjmdc.com 2->97 99 www.google.com 2->99 101 161 other IPs or domains 2->101 129 Tries to download HTTP data from a sinkholed server 2->129 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Multi AV Scanner detection for domain / URL 2->133 139 21 other signatures 2->139 13 DWVByMCYL8.exe 2->13         started        16 geedrvu 2->16         started        18 svchost.exe 2->18         started        20 4 other processes 2->20 signatures3 135 Tries to resolve many domain names, but no domain seems valid 97->135 137 System process connects to network (likely due to code injection or exploit) 99->137 process4 signatures5 155 Detected unpacking (changes PE section rights) 13->155 157 Contains functionality to inject code into remote processes 13->157 159 Injects a PE file into a foreign processes 13->159 22 DWVByMCYL8.exe 13->22         started        161 Multi AV Scanner detection for dropped file 16->161 163 Machine Learning detection for dropped file 16->163 25 geedrvu 16->25         started        27 WerFault.exe 18->27         started        process6 signatures7 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->141 143 Maps a DLL or memory area into another process 22->143 145 Checks if the current machine is a virtual machine (disk enumeration) 22->145 29 explorer.exe 3 16 22->29 injected 147 Creates a thread in another existing process (thread injection) 25->147 process8 dnsIp9 103 urydiahadyss16.club 29->103 105 onyokandis9.store 29->105 107 20 other IPs or domains 29->107 89 C:\Users\user\AppData\Roaming\geedrvu, PE32 29->89 dropped 91 C:\Users\user\AppData\Local\Temp\D322.exe, PE32 29->91 dropped 93 C:\Users\user\AppData\Local\Temp\C612.exe, PE32 29->93 dropped 95 6 other malicious files 29->95 dropped 167 System process connects to network (likely due to code injection or exploit) 29->167 169 Benign windows process drops PE files 29->169 171 Performs DNS queries to domains with low reputation 29->171 175 2 other signatures 29->175 34 D322.exe 1 6 29->34         started        37 55AD.exe 3 29->37         started        39 6965.exe 2 29->39         started        42 4 other processes 29->42 file10 173 Tries to resolve many domain names, but no domain seems valid 105->173 signatures11 process12 file13 109 Multi AV Scanner detection for dropped file 34->109 111 Machine Learning detection for dropped file 34->111 44 cmd.exe 1 34->44         started        47 dllhost.exe 34->47         started        113 Detected unpacking (changes PE section rights) 37->113 115 Query firmware table information (likely to detect VMs) 37->115 117 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->117 127 2 other signatures 37->127 49 conhost.exe 37->49         started        87 C:\Users\user\AppData\Local\...\krpafaoc.exe, PE32 39->87 dropped 119 Uses netsh to modify the Windows network and firewall settings 39->119 121 Modifies the windows firewall 39->121 51 cmd.exe 39->51         started        54 cmd.exe 39->54         started        56 sc.exe 39->56         started        60 2 other processes 39->60 123 Contains functionality to steal Internet Explorer form passwords 42->123 125 Injects a PE file into a foreign processes 42->125 58 C612.exe 42->58         started        signatures14 process15 file16 149 Submitted sample is a known malware sample 44->149 151 Obfuscated command line found 44->151 153 Uses ping.exe to check the status of other devices and networks 44->153 62 cmd.exe 3 44->62         started        65 conhost.exe 44->65         started        85 C:\Windows\SysWOW64\...\krpafaoc.exe (copy), PE32 51->85 dropped 67 conhost.exe 51->67         started        69 conhost.exe 54->69         started        71 conhost.exe 56->71         started        73 conhost.exe 60->73         started        75 conhost.exe 60->75         started        signatures17 process18 signatures19 165 Obfuscated command line found 62->165 77 Versato.exe.com 62->77         started        79 findstr.exe 1 62->79         started        81 PING.EXE 1 62->81         started        process20 process21 83 Versato.exe.com 77->83         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 13:39:38 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ry4aprrbsy5jmchqae4bjx3crywow5xfx25qevye5ecctff7k5uq._file
Verdict:
malicious
Similar samples:
1331ad9f1e54084e41f896ad51b530b37a5b22c35b78f2a8a6f8fbec778b3d07
CoinMiner
38fd2cb3083f33b50606b7821453769103bde2433573499a514452e102cb95df
CoinMiner
3d672cce542b1407ed8100762a5b1b81aa6813c4b23e19b60f4a68b79475f18f
CoinMiner
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088
CoinMiner
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
CoinMiner
7da1ac7cd7a61715807d49e8c79b054ba302b3988ba19d13870a4b42ee6fae6c
CoinMiner
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
CoinMiner
ba6500d3d342ecdbca59b6c47b9b6e078bb54365ffe5be38f958983a7715645d
CoinMiner
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
CoinMiner
ffe39579163c231521098435348019227cca339b735efa33b639acf5bcbaf432
CoinMiner
+ 1'780 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:e89524de1a131be43c3cc9ec324dabb6a9998c12 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:installs backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210907-q89qssfhgk/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Core1 .NET packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
http://rigtestforum.ru/board/
http://rigtestforum.click/board/
http://rigtestforum.to/board/
45.14.49.232:14970
95.215.205.85:48425
Unpacked files
SH256 hash:
00f084577498574656aee0e4ce71090d1127e61b121ded642095d8abafa8faad
MD5 hash:
1ebf9a8027fe82a4416188d52ee12a8c
SHA1 hash:
b78dd61046152043e8a4c7a4b144d7d94c9c0867
Link:
https://www.unpac.me/results/d094e8d4-f6f0-4947-b0d6-5c8d5f7da053/
SH256 hash:
8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769
MD5 hash:
743bcc99b15c971e0269cb3376c9ff69
SHA1 hash:
5ea7dcffcda6cdf903fe4de53b753f7db2049e4f
Link:
https://www.unpac.me/results/d094e8d4-f6f0-4947-b0d6-5c8d5f7da053/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8e3807c62196/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186054/

Comments