MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654
SHA3-384 hash: 3e09c8cdbb253383211863a2540c6ea947338e0722e877336c9cfd78ba5a58ebb2337df1fa083db5ef9416966df0064c
SHA1 hash: 7fa7d73ddc5363785fe35a04f739318659bc5f3e
MD5 hash: d3a37e41f864b96aaf16edc07c8d42e3
humanhash: uniform-tennessee-harry-neptune
File name:d3a37e41f864b96aaf16edc07c8d42e3.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:220'160 bytes
First seen:2021-09-13 17:15:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e29fdb264def7dda465a7a289be86662 (2 x RaccoonStealer, 1 x CoinMiner, 1 x RedLineStealer)
ssdeep 3072:4tscgKLxzHxg1nJNXOXV+mjrBm3Qh6k5ltOQsWvSSZEy8xlT3OqOS:egKLFxOnGXQmPAQTtdKO
Threatray 5'344 similar samples on MalwareBazaar
TLSH T1F224ADC035D0E831C5862C358861CBB456B9FC7185A38687FBB82B6F6E633F056E6352
dhash icon b27e7c7d727e6e76 (10 x RaccoonStealer, 5 x RedLineStealer, 5 x Stop)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://94.158.245.117/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.117/ https://threatfox.abuse.ch/ioc/221022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3a37e41f864b96aaf16edc07c8d42e3.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-13 17:17:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/445dc31c-299a-4107-8b60-305850994e2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187527/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.25710.31666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/617503e2db358dd15ed91caf/reports/694fcfa4-c6a0-4973-ba4b-b4d238f7f666/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0a3cacc-8b14-4c39-88aa-622f7fee88cb
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850026
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482463 Sample: Mmg05DDHVy.exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 84 s3-w.us-east-1.amazonaws.com 2->84 86 s3-1-w.amazonaws.com 2->86 88 7 other IPs or domains 2->88 100 Tries to download HTTP data from a sinkholed server 2->100 102 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->102 104 Antivirus detection for URL or domain 2->104 106 14 other signatures 2->106 11 Mmg05DDHVy.exe 2->11         started        14 jtdrjwc 2->14         started        16 svchost.exe 9 1 2->16         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 122 Detected unpacking (changes PE section rights) 11->122 124 Contains functionality to inject code into remote processes 11->124 126 Injects a PE file into a foreign processes 11->126 21 Mmg05DDHVy.exe 11->21         started        128 Multi AV Scanner detection for dropped file 14->128 24 jtdrjwc 14->24         started        82 127.0.0.1 unknown unknown 16->82 signatures6 process7 signatures8 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->108 110 Maps a DLL or memory area into another process 21->110 112 Checks if the current machine is a virtual machine (disk enumeration) 21->112 26 explorer.exe 2 21->26 injected 114 Creates a thread in another existing process (thread injection) 24->114 process9 dnsIp10 94 193.56.146.41, 49837, 9080 LVLT-10753US unknown 26->94 96 fazanaharahe1.xyz 192.42.116.41, 49737, 49738, 49739 IP-EEND-ASIP-EENDBVNL Netherlands 26->96 98 18 other IPs or domains 26->98 76 C:\Users\user\AppData\Roaming\jtdrjwc, PE32 26->76 dropped 78 C:\Users\user\...\jtdrjwc:Zone.Identifier, ASCII 26->78 dropped 130 System process connects to network (likely due to code injection or exploit) 26->130 132 Benign windows process drops PE files 26->132 134 Performs DNS queries to domains with low reputation 26->134 136 2 other signatures 26->136 31 1AB8.exe 26->31         started        34 315F.exe 2 26->34         started        37 3874.exe 3 26->37         started        40 3 other processes 26->40 file11 signatures12 process13 dnsIp14 138 Detected unpacking (changes PE section rights) 31->138 140 Injects a PE file into a foreign processes 31->140 42 1AB8.exe 31->42         started        72 C:\Users\user\AppData\Local\...\pfffulrj.exe, PE32 34->72 dropped 142 Uses netsh to modify the Windows network and firewall settings 34->142 144 Modifies the windows firewall 34->144 45 cmd.exe 1 34->45         started        48 cmd.exe 2 34->48         started        50 sc.exe 34->50         started        60 3 other processes 34->60 90 94.158.245.117, 49844, 80 MIVOCLOUDMD Moldova Republic of 37->90 92 telete.in 195.201.225.248, 443, 49843 HETZNER-ASDE Germany 37->92 74 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 37->74 dropped 146 Tries to harvest and steal browser information (history, passwords, etc) 37->146 52 279A.exe 40->52         started        54 conhost.exe 40->54         started        56 conhost.exe 40->56         started        58 conhost.exe 40->58         started        file15 signatures16 process17 file18 116 Maps a DLL or memory area into another process 42->116 118 Checks if the current machine is a virtual machine (disk enumeration) 42->118 120 Creates a thread in another existing process (thread injection) 42->120 80 C:\Windows\SysWOW64\...\pfffulrj.exe (copy), PE32 45->80 dropped 62 conhost.exe 45->62         started        64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 16:32:28 UTC
AV detection:
15 of 44 (34.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sznkeefth5jumh6m5u5vlpyveg6cak6lbrznfcslturnmd3xszka._file
Verdict:
malicious
Similar samples:
24898127d1fda2a11a0f9531df9b0bea1cb977023c40dfc8f4be0c9b8b5e7ee3
CoinMiner
2719fd90e145c3520563231bf1e70417e5dc84cf275046f01ce1fe81f52c5381
CoinMiner
4dd3b8c14d77c4099c86f0fe88a0e58995f45da816eeb36845b1192b91c48e66
CoinMiner
506a485744a8e87c63ac2c420ae19be50a33e7ca375bfb123fbb6e317333b992
CoinMiner
6c7390a207bf7d3ce9df2c9df04609bbc6176eb958294f760e9167553fd05428
CoinMiner
772f6fe2ec8b23617a2b26d78a9b512579369b1d870fc69fa2921bf5148ee69f
CoinMiner
824c689a4994d5820df170d48638bd5f7d7491bccb75c6a3bc684426c7885486
CoinMiner
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
CoinMiner
b89b212833a00ced71d5cd0ddba882a68e137834a825318c6aadb4bb94f7d288
CoinMiner
e6caab24402f364bef57cd70a56650b7d657d3098e63361de7ddef5539199a66
CoinMiner
+ 5'334 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:3ka backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210913-vs48laebe8/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
91.142.77.155:5469
Unpacked files
SH256 hash:
00f084577498574656aee0e4ce71090d1127e61b121ded642095d8abafa8faad
MD5 hash:
1ebf9a8027fe82a4416188d52ee12a8c
SHA1 hash:
b78dd61046152043e8a4c7a4b144d7d94c9c0867
Link:
https://www.unpac.me/results/5204883b-7b3d-47d1-a5a2-87740d83bc26/
SH256 hash:
965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654
MD5 hash:
d3a37e41f864b96aaf16edc07c8d42e3
SHA1 hash:
7fa7d73ddc5363785fe35a04f739318659bc5f3e
Link:
https://www.unpac.me/results/5204883b-7b3d-47d1-a5a2-87740d83bc26/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/965aa210b33f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 965aa210b33f53461fcced3b55bf1521bc202bcb0c72d28a4b9d22d60f779654

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1612961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187527/

Comments