MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
SHA3-384 hash: 3b0dc33cd64b349fb6269cbf97e2d10d9cc3e2ba2f2486e64e2987ba2f04158966b783817f47665fe7760aa9f629a5a4
SHA1 hash: 9e7cfb041b9d142f9ee2236bf06d49b0b9d1ae4f
MD5 hash: 0b58e845c5b46eee70186d536e90a343
humanhash: robert-island-lemon-lemon
File name:0b58e845c5b46eee70186d536e90a343.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'340'928 bytes
First seen:2023-10-16 08:19:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:XYUphffHxofFgATf2E4KCKqTYqM4VhXsY5TMs:XYYRofF56E4KyTvMWhc
TLSH T1F95522A23E9DC1A1E07C0875511A8612B63EBD77B616266A6BF73D3E0F490C74FC2D18
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0b58e845c5b46eee70186d536e90a343.exe
Verdict:
Malicious activity
Analysis date:
2023-10-16 08:26:11 UTC
Tags:
opendir loader payload privateloader evasion stealc stealer risepro redline lumma ransomware stop smoke sinkhole vidar trojan arkei
Link:
https://app.any.run/tasks/772343b9-91a2-45bd-afda-b5d5f1e417c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454775/
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.22411.13326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Modifying a system file
Replacing files
Reading critical registry keys
Launching a service
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652cf235c51de9263e5af9a5/reports/9bddf774-5df7-4b4d-a241-bd90fccc19af/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c07979f7-a018-4d7a-aede-9357509937a3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326307
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1326307 Sample: 7ajp1lfDeg.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 164 Malicious sample detected (through community Yara rule) 2->164 166 Antivirus detection for URL or domain 2->166 168 Antivirus detection for dropped file 2->168 170 11 other signatures 2->170 10 7ajp1lfDeg.exe 2 4 2->10         started        13 powershell.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 signatures4 186 Writes to foreign memory regions 10->186 188 Allocates memory in foreign processes 10->188 190 Adds a directory exclusion to Windows Defender 10->190 192 2 other signatures 10->192 19 CasPol.exe 15 263 10->19         started        24 powershell.exe 23 10->24         started        26 conhost.exe 13->26         started        process5 dnsIp6 130 85.217.144.143 WS171-ASRU Bulgaria 19->130 132 107.167.110.216 OPERASOFTWAREUS United States 19->132 134 12 other IPs or domains 19->134 88 C:\Users\...\zXLS2K4MvN7QjVNPEYxdAvkA.exe, PE32+ 19->88 dropped 90 C:\Users\...\yQPhlzGpnwBbWkl2N2gGKtVx.exe, PE32+ 19->90 dropped 92 C:\Users\...\xywOnVO0XdF50H4Hrsn8q72N.exe, PE32 19->92 dropped 94 246 other malicious files 19->94 dropped 176 Drops script or batch files to the startup folder 19->176 178 Creates HTML files with .exe extension (expired dropper behavior) 19->178 28 Kn2FamEbxDqfIiXGrzHhvBUe.exe 19->28         started        33 xQUtZPsRPUVoDWsWkORbapMI.exe 19->33         started        35 3XZSAVwgmEl7jv7cpQvw2ls9.exe 19->35         started        39 13 other processes 19->39 37 conhost.exe 24->37         started        file7 signatures8 process9 dnsIp10 150 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 28->150 158 15 other IPs or domains 28->158 112 C:\Users\...\xWF0I3Fln8plsJUvLO0xMTMv.exe, PE32 28->112 dropped 122 22 other malicious files 28->122 dropped 198 Creates HTML files with .exe extension (expired dropper behavior) 28->198 200 Disables Windows Defender (deletes autostart) 28->200 202 Modifies Group Policy settings 28->202 152 87.240.190.76 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->152 114 C:\Users\...\zIHEdYaOg6tm6etAudCUjWTu.exe, PE32 33->114 dropped 116 C:\Users\...\z9yJF1bExtyRE28Rs8u4NDbk.exe, PE32 33->116 dropped 124 19 other malicious files 33->124 dropped 204 Tries to harvest and steal browser information (history, passwords, etc) 33->204 206 Disable Windows Defender real time protection (registry) 33->206 154 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 35->154 156 87.240.137.140 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 35->156 160 2 other IPs or domains 35->160 118 C:\Users\...\yqGcSIQVkAHGYzg38Rbi3YrT.exe, PE32 35->118 dropped 120 C:\Users\...\xavvsCPEeOShJ8ZBoAQBxxvy.exe, PE32 35->120 dropped 126 20 other malicious files 35->126 dropped 162 8 other IPs or domains 39->162 128 11 other malicious files 39->128 dropped 208 Creates multiple autostart registry keys 39->208 210 Modifies the hosts file 39->210 212 Adds a directory exclusion to Windows Defender 39->212 41 fronttechnological.exe 39->41         started        45 fronttechnological.exe 39->45         started        47 QdQC2lQnJkbeyeK4N7UIcFlS.exe 39->47         started        49 6 other processes 39->49 file11 signatures12 process13 file14 96 C:\Users\user\...\thoseintroductory.exe, PE32 41->96 dropped 98 C:\Users\user\AppData\...\callcustomerpro.exe, PE32+ 41->98 dropped 194 Multi AV Scanner detection for dropped file 41->194 196 Creates multiple autostart registry keys 41->196 51 callcustomerpro.exe 41->51         started        100 C:\Users\user\...\thoseintroductory.exe, PE32 45->100 dropped 102 C:\Users\user\AppData\...\callcustomerpro.exe, PE32+ 45->102 dropped 55 callcustomerpro.exe 45->55         started        104 Opera_installer_2310160855070538712.dll, PE32 47->104 dropped 57 QdQC2lQnJkbeyeK4N7UIcFlS.exe 47->57         started        106 Opera_installer_2310160855276149968.dll, PE32 49->106 dropped 108 Opera_installer_2310160855062138564.dll, PE32 49->108 dropped 110 Opera_installer_2310160855029798272.dll, PE32 49->110 dropped 59 chrome.exe 49->59         started        62 chrome.exe 49->62         started        64 conhost.exe 49->64         started        66 2 other processes 49->66 signatures15 process16 dnsIp17 78 C:\Users\user\AppData\...\calllcustomer.exe, PE32+ 51->78 dropped 80 C:\Users\user\AppData\...\callcustomer.exe, PE32 51->80 dropped 172 Multi AV Scanner detection for dropped file 51->172 68 callcustomer.exe 51->68         started        82 C:\Users\user\AppData\...\calllcustomer.exe, PE32+ 55->82 dropped 84 C:\Users\user\AppData\...\callcustomer.exe, PE32 55->84 dropped 174 Creates multiple autostart registry keys 55->174 72 callcustomer.exe 55->72         started        86 Opera_installer_2310160855077238812.dll, PE32 57->86 dropped 144 192.168.2.30 unknown unknown 59->144 146 192.168.2.4 unknown unknown 59->146 148 3 other IPs or domains 59->148 74 chrome.exe 59->74         started        76 chrome.exe 62->76         started        file18 signatures19 process20 dnsIp21 136 172.86.98.101 M247GB United States 68->136 180 Multi AV Scanner detection for dropped file 68->180 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 68->182 184 Injects a PE file into a foreign processes 68->184 138 142.250.176.14 GOOGLEUS United States 74->138 140 142.250.176.3 GOOGLEUS United States 74->140 142 11 other IPs or domains 74->142 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-10-14 10:59:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urqgjljsf22r46zsvs5pkn5kkbhfatu7dwgcmd6yxlah7hcgwhaq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:xmrig dropper evasion loader miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/231016-j8gaxscg9w/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
VMProtect packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
PrivateLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
8b14d7cf068ad42d35961008e64ac4daad0f8dd85caf8375eae78f277f38d4df
MD5 hash:
653f271bca00061adf3885a79941f35d
SHA1 hash:
bd6b53f29b05b2d583f341d2eabd2c5ddb9c8aca
Link:
https://www.unpac.me/results/7acb4e40-c4d6-4aaf-9802-64a996bcec32/
SH256 hash:
a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
MD5 hash:
0b58e845c5b46eee70186d536e90a343
SHA1 hash:
9e7cfb041b9d142f9ee2236bf06d49b0b9d1ae4f
Link:
https://www.unpac.me/results/7acb4e40-c4d6-4aaf-9802-64a996bcec32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2719266/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/454775/

Comments