MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c
SHA3-384 hash:	1ec2553960d451550fcb103daea5aacde27ddf6ec8364ffbced68fcb1e44e55541fddf0766d460c3599018543e6e254a
SHA1 hash:	dd9547c88b42dbd6081856749babfc6c8d9f0313
MD5 hash:	a3a79ebb6fb638ab540cabd43d039442
humanhash:	single-iowa-thirteen-maryland
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	1'273'056 bytes
First seen:	2023-10-06 01:21:03 UTC
Last seen:	2023-10-06 22:00:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dd37d5107a0f5ef74aaa6f8fa4aebb1d (2 x CoinMiner, 1 x AgentTesla, 1 x XWorm)
ssdeep	24576:C6PysE9eKXiL6LXovNQEyBVEwurjc2ravkBneJNzGhANg5VaMZ9qyKsitDa:C6gXiLS4aEyBJuXavkBeJNG265Va2MyZ
TLSH	T19C4533E7AB66C855EA935076E6FA7FE98733607D0848CB026A7440F25C405E27DF0E53
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	CoinMiner exe signed

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-10-06T00:56:10Z
Valid to:	2024-10-06T00:56:10Z
Serial number:	7dd4dc41aa17f49d0a3f7912763be512
Thumbprint Algorithm:	SHA256
Thumbprint:	7f571bcaaa05ae3326adecc639292d621a4eeccf20f4b4ede6829bf2e0b8ae7a
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://185.225.74.144/files/Umm2.exe

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://sunbabsco.com/wp-download/server/zip.7z

Verdict:

Malicious activity

Analysis date:

2023-10-06 17:35:54 UTC

Tags:

privateloader evasion opendir loader gcleaner risepro stealer redline ransomware stop hijackloader tofsee botnet stealc vidar trojan arkei miner raccoon recordbreaker amadey raccoonclipper teamspy remote g0njxa

Link:

https://app.any.run/tasks/261c410a-1efa-4cf2-b27f-6c8b86ac0d59

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the %temp% subdirectories

Creating a window

Launching cmd.exe command interpreter

Running batch commands

Blocking the User Account Control

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/79652861-b437-4d6e-9dc6-3e0f7123d243

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-06 01:22:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 23 (52.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sa3mlpcbiwniotbfroybwttfasphpib5bu2bvckitk5p4jazci6a._file

Verdict:

unknown

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:amadey family:glupteba family:xmrig dropper evasion loader miner trojan upx

Link:

https://tria.ge/reports/231006-bqp64sad87/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Launches sc.exe

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops startup file

UPX packed file

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Stops running service(s)

Modifies boot configuration data using bcdedit

XMRig Miner payload

UAC bypass

xmrig

Amadey

Glupteba

Glupteba payload

Malware Config

C2 Extraction:

http://193.42.32.29/9bDc8sQ/index.php

Unpacked files

SH256 hash:

bf2ba295c600fdaf7678c29637d085e67161d5092c5c730c50151599bf6201f3

MD5 hash:

61a5e0c8b73b9e6d8e8c844f235d1e41

SHA1 hash:

9f4e59f0d54bae8d50496729a84a7c6d19b76d55

Link:

https://www.unpac.me/results/df39f169-cde2-4a88-82d8-e5344bb5c959/

SH256 hash:

9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c

MD5 hash:

a3a79ebb6fb638ab540cabd43d039442

SHA1 hash:

dd9547c88b42dbd6081856749babfc6c8d9f0313

Link:

https://www.unpac.me/results/df39f169-cde2-4a88-82d8-e5344bb5c959/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9036c5bc4145/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9036c5bc41459a874c258bb01b4e65049e77a03d0d341a89489abafe2419123c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2715393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample