MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
SHA3-384 hash: b6f53b27c8cb8299b6bb5b331bc7909dac698046e3adb61969d4f3925e1acb26289f84e7ff9a17931bfa0e789bf6fb1a
SHA1 hash: 4ca403030401fee6be2d9dbfb4d638e29f9ef19f
MD5 hash: 3eabedf278cd8dd76b23497dad959435
humanhash: fish-fruit-grey-burger
File name:GloryWSetp.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:189'952 bytes
First seen:2021-08-13 11:01:53 UTC
Last seen:2021-08-13 11:53:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:URyxMedEB5tC80rnGbjuzl4kDBWE8Gy3LX2SqfbKLwaGzWWSHTie+CS01I641vyl:4ia/Rbi6NS+Lp
Threatray 1'084 similar samples on MalwareBazaar
TLSH T19C046A3902506FD4BF368BFC88B1A3CD0DA33FB6184995E7409532205DE8D9BB9B4E65
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RIG Exploit Kit.html
Verdict:
Malicious activity
Analysis date:
2021-08-13 10:38:04 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader fareit pony
Link:
https://app.any.run/tasks/00192776-374f-477a-9c7d-17f4d5c58d3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178960/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.20814.25435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Creating a file in the %AppData% directory
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Reading critical registry keys
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b031f196-40d0-478e-8fc9-18b59a1d1ec8
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832356
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464783 Sample: GloryWSetp.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for URL or domain 2->135 137 13 other signatures 2->137 9 GloryWSetp.exe 4 2->9         started        12 services64.exe 6 2->12         started        14 svchost.exe 2->14         started        17 4 other processes 2->17 process3 dnsIp4 79 C:\Users\user\AppData\Local\...\chrome3.exe, PE32+ 9->79 dropped 81 C:\Users\user\AppData\...behaviorgraphloryWSetp.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...behaviorgraphloryWSetp.exe.log, ASCII 9->83 dropped 19 GloryWSetp.exe 15 8 9->19         started        24 chrome3.exe 5 9->24         started        26 cmd.exe 12->26         started        28 sihost64.exe 12->28         started        123 127.0.0.1 unknown unknown 14->123 file5 process6 dnsIp7 113 iplogger.org 88.99.66.31, 443, 49702, 49703 HETZNER-ASDE Germany 19->113 115 music-sec.xyz 104.21.92.87, 49701, 80 CLOUDFLARENETUS United States 19->115 69 C:\Users\user\AppData\Roaming\6287093.exe, PE32 19->69 dropped 71 C:\Users\user\AppData\Roaming\4332694.exe, PE32 19->71 dropped 73 C:\Users\user\AppData\Roaming\3224668.exe, PE32 19->73 dropped 77 2 other malicious files 19->77 dropped 139 Detected unpacking (changes PE section rights) 19->139 141 May check the online IP address of the machine 19->141 143 Performs DNS queries to domains with low reputation 19->143 30 6287093.exe 19->30         started        34 4332694.exe 19->34         started        37 3224668.exe 19->37         started        39 1104701.exe 19->39         started        75 C:\Users\user\AppData\...\services64.exe, PE32+ 24->75 dropped 145 Multi AV Scanner detection for dropped file 24->145 147 Machine Learning detection for dropped file 24->147 41 services64.exe 14 5 24->41         started        43 cmd.exe 1 24->43         started        45 conhost.exe 26->45         started        47 schtasks.exe 26->47         started        file8 signatures9 process10 dnsIp11 85 C:\Users\user\AppData\...\WinHoster.exe, PE32 30->85 dropped 149 Detected unpacking (changes PE section rights) 30->149 49 WinHoster.exe 30->49         started        99 topstylesolutions.xyz 172.67.184.220, 443, 49721, 49724 CLOUDFLARENETUS United States 34->99 151 Performs DNS queries to domains with low reputation 34->151 153 Tries to harvest and steal browser information (history, passwords, etc) 34->153 101 all-brain-company.xyz 104.21.87.184, 443, 49706 CLOUDFLARENETUS United States 37->101 87 C:\ProgramData\57\vcruntime140.dll, PE32 37->87 dropped 89 C:\ProgramData\57\sqlite3.dll, PE32 37->89 dropped 91 C:\ProgramData\57\softokn3.dll, PE32 37->91 dropped 97 4 other files (none is malicious) 37->97 dropped 103 ceneimarck.xyz 194.169.160.30, 49722, 49732, 80 NETRACK-ASRU Russian Federation 39->103 105 sytareliar.xyz 212.224.105.106, 49717, 49723, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 39->105 107 yabelesatg.xyz 212.224.105.79, 49720, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 39->107 52 conhost.exe 39->52         started        109 sanctam.net 185.65.135.248, 49704, 58899 ESAB-ASSE Sweden 41->109 111 2 other IPs or domains 41->111 93 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 41->93 dropped 95 C:\Users\user\AppData\...\sihost64.exe, PE32+ 41->95 dropped 155 Injects code into the Windows Explorer (explorer.exe) 41->155 157 Writes to foreign memory regions 41->157 159 Allocates memory in foreign processes 41->159 163 3 other signatures 41->163 54 explorer.exe 41->54         started        57 cmd.exe 41->57         started        59 sihost64.exe 41->59         started        161 Uses schtasks.exe or at.exe to add and modify task schedules 43->161 61 conhost.exe 43->61         started        63 schtasks.exe 1 43->63         started        file12 signatures13 process14 dnsIp15 125 Detected unpacking (changes PE section rights) 49->125 117 xmr-eu2.nanopool.org 213.32.74.157, 14433, 49712 OVHFR France 54->117 119 xmr-eu1.nanopool.org 46.105.31.147, 14433, 49714 OVHFR France 54->119 121 pastebin.com 104.23.98.190, 443, 49713 CLOUDFLARENETUS United States 54->121 127 System process connects to network (likely due to code injection or exploit) 54->127 129 Query firmware table information (likely to detect VMs) 54->129 65 conhost.exe 57->65         started        67 schtasks.exe 57->67         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 12:43:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uutotwxjfgf32a6kfkh4rjcybhvmcvb3x3cgqamcje6fkhlf64yq._file
Verdict:
malicious
Similar samples:
075312ecbb4db40578c78ec9325d214e612cd19e89c9c43772a4e61219b6f1ff
CoinMiner
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
CoinMiner
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
CoinMiner
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
CoinMiner
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
CoinMiner
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
+ 1'074 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210813-c3frj3plhe/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
MD5 hash:
3eabedf278cd8dd76b23497dad959435
SHA1 hash:
4ca403030401fee6be2d9dbfb4d638e29f9ef19f
Link:
https://www.unpac.me/results/6469556e-e01b-44c3-bc17-d3160cd4a241/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178960/

Comments