MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a
SHA3-384 hash: 729f10c7cc192dbf9495ac932db964f5207d5366956ee2fc28426b95cdd771f0acdfa790dfc314cdc72d8baebbcf00c6
SHA1 hash: 0c15d3f00436b8f37c8c81d5ace28a45fcd1e9b3
MD5 hash: b22a09df16d6b60a9a35a132aacfa7bb
humanhash: wolfram-michigan-salami-orange
File name:B22A09DF16D6B60A9A35A132AACFA7BB.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:252'416 bytes
First seen:2021-09-11 07:10:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2b61ec335a437915fc26e9e5178da86 (5 x RaccoonStealer, 4 x Stop, 2 x ArkeiStealer)
ssdeep 3072:IA6x/E7FVhYvVL27g7z8NDNYaVgoFbZF7IxScqptzXtmoicC4z0q4vis7ueoKqlw:IAX7FVuVLHX8NDOaZBtAvjU0qb0oI
Threatray 4'375 similar samples on MalwareBazaar
TLSH T189348D20B6A0C035F4B712F559B683B9A93DBDB1AB2441CB62D43BEE56346E4DC30397
dhash icon e8e8c8e8aa66a499 (4 x RaccoonStealer, 3 x RedLineStealer, 3 x CryptBot)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://5.181.156.77/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.77/ https://threatfox.abuse.ch/ioc/219656/

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B22A09DF16D6B60A9A35A132AACFA7BB.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-11 07:12:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66603813-6144-4918-8769-ef5a8258a59b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187021/
Detection(s):
Win.Packed.Jaik-9891196-0
Create hunting rule

Win.Packed.Jaik-9891200-0
Create hunting rule

Win.Packed.Jaik-9891213-0
Create hunting rule

Win.Packed.Raccoon-9891246-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f27ac85d-5e9b-4e0f-bf6a-2684e76c1079
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849094
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481525 Sample: 5aC1boZSQm.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 102 telete.in 2->102 104 ppzs07.site 2->104 106 2 other IPs or domains 2->106 132 Tries to download HTTP data from a sinkholed server 2->132 134 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->134 136 Antivirus detection for URL or domain 2->136 138 15 other signatures 2->138 11 5aC1boZSQm.exe 2->11         started        14 zxhffveu.exe 2->14         started        16 iwcgvhj 2->16         started        18 11 other processes 2->18 signatures3 process4 dnsIp5 174 Detected unpacking (changes PE section rights) 11->174 176 Contains functionality to inject code into remote processes 11->176 178 Injects a PE file into a foreign processes 11->178 21 5aC1boZSQm.exe 11->21         started        180 Writes to foreign memory regions 14->180 182 Allocates memory in foreign processes 14->182 24 svchost.exe 14->24         started        27 iwcgvhj 16->27         started        108 127.0.0.1 unknown unknown 18->108 110 192.168.2.1 unknown unknown 18->110 112 marlingarly18.club 18->112 184 Changes security center settings (notifications, updates, antivirus, firewall) 18->184 186 DLL side loading technique detected 18->186 signatures6 process7 dnsIp8 164 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->164 166 Maps a DLL or memory area into another process 21->166 168 Checks if the current machine is a virtual machine (disk enumeration) 21->168 29 explorer.exe 11 21->29 injected 122 microsoft-com.mail.protection.outlook.com 40.93.212.0, 25, 49805 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->122 124 defeatwax.ru 193.56.146.188, 443, 49806 LVLT-10753US unknown 24->124 170 System process connects to network (likely due to code injection or exploit) 24->170 172 Creates a thread in another existing process (thread injection) 27->172 signatures9 process10 dnsIp11 126 193.56.146.41, 49788, 9080 LVLT-10753US unknown 29->126 128 91.241.19.38, 49801, 80 REDBYTES-ASRU Russian Federation 29->128 130 18 other IPs or domains 29->130 94 C:\Users\user\AppData\Roaming\iwcgvhj, PE32 29->94 dropped 96 C:\Users\user\AppData\Local\Temp\A761.exe, PE32 29->96 dropped 98 C:\Users\user\AppData\Local\Temp\90EA.exe, PE32 29->98 dropped 100 3 other malicious files 29->100 dropped 192 System process connects to network (likely due to code injection or exploit) 29->192 194 Benign windows process drops PE files 29->194 196 Performs DNS queries to domains with low reputation 29->196 198 2 other signatures 29->198 34 88EA.exe 2 29->34         started        38 90EA.exe 80 29->38         started        41 E99D.exe 29->41         started        43 5 other processes 29->43 file12 signatures13 process14 dnsIp15 84 C:\Users\user\AppData\Local\...\zxhffveu.exe, PE32 34->84 dropped 140 Detected unpacking (changes PE section rights) 34->140 142 Uses netsh to modify the Windows network and firewall settings 34->142 144 Modifies the windows firewall 34->144 45 cmd.exe 34->45         started        48 cmd.exe 34->48         started        51 sc.exe 34->51         started        62 3 other processes 34->62 114 5.181.156.77, 49795, 80 MIVOCLOUDMD Moldova Republic of 38->114 116 telete.in 195.201.225.248, 443, 49794 HETZNER-ASDE Germany 38->116 86 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 38->86 dropped 88 C:\Users\user\AppData\...\vcruntime140.dll, PE32 38->88 dropped 90 C:\Users\user\AppData\...\ucrtbase.dll, PE32 38->90 dropped 92 56 other files (none is malicious) 38->92 dropped 146 Tries to steal Mail credentials (via file access) 38->146 148 Contains functionality to steal Internet Explorer form passwords 38->148 53 cmd.exe 38->53         started        118 ppas08.top 45.93.4.90 LEASEWEB-DE-FRA-10DE Russian Federation 41->118 150 Query firmware table information (likely to detect VMs) 41->150 152 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->152 154 Tries to harvest and steal ftp login credentials 41->154 156 Tries to harvest and steal browser information (history, passwords, etc) 41->156 158 Hides threads from debuggers 43->158 160 Injects a PE file into a foreign processes 43->160 162 Tries to detect sandboxes / dynamic malware analysis system (registry check) 43->162 55 7F54.exe 43->55         started        58 conhost.exe 43->58         started        60 7F54.exe 43->60         started        64 3 other processes 43->64 file16 signatures17 process18 dnsIp19 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->188 190 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->190 66 conhost.exe 45->66         started        82 C:\Windows\SysWOW64\...\zxhffveu.exe (copy), PE32 48->82 dropped 68 conhost.exe 48->68         started        70 conhost.exe 51->70         started        72 conhost.exe 53->72         started        74 timeout.exe 53->74         started        120 146.70.35.170 TENET-1ZA United Kingdom 55->120 76 conhost.exe 62->76         started        78 conhost.exe 62->78         started        80 conhost.exe 62->80         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 19:21:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzjgcsloff3s3azm5hvuzdip5icrug2ynqfabbjj36v3l3s5yq5a._file
Verdict:
malicious
Similar samples:
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
CoinMiner
091ee9a9dd7f5501d96e04c9d7cfda6bb6cf3cdcb308f2ef293c123f675d56a7
CoinMiner
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
CoinMiner
3fa40031fe4c0dda1a5e228221ab8e839333f6219d74e89114067c332b59bf39
CoinMiner
561a8533273e9f2b9c5fb33089538d4c70d6b7d6358750ba89dcf3c56417d95d
CoinMiner
675d315e728f48317a23c5f63712f99e82090a2922ecb255f80f2545bfed788a
CoinMiner
75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a
CoinMiner
7ac7316234cbc2894267e99ceca5574f892cb2e49b66cfb2611d73388f0994b3
CoinMiner
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
CoinMiner
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
CoinMiner
+ 4'365 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:3knext backdoor infostealer trojan
Link:
https://tria.ge/reports/210911-hzyceabbc6/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
91.142.77.155:5469
Unpacked files
SH256 hash:
00f084577498574656aee0e4ce71090d1127e61b121ded642095d8abafa8faad
MD5 hash:
1ebf9a8027fe82a4416188d52ee12a8c
SHA1 hash:
b78dd61046152043e8a4c7a4b144d7d94c9c0867
Link:
https://www.unpac.me/results/2d1d74ef-20b4-4706-9985-f1a469750ccc/
SH256 hash:
9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a
MD5 hash:
b22a09df16d6b60a9a35a132aacfa7bb
SHA1 hash:
0c15d3f00436b8f37c8c81d5ace28a45fcd1e9b3
Link:
https://www.unpac.me/results/2d1d74ef-20b4-4706-9985-f1a469750ccc/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9e5261496e29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187021/

Comments