MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4
SHA3-384 hash: bcd86020498b9857e8cba607994a74c4d2e82b00b6b59a855e4a3466e3d43eba5c9fb2590800e3788c9d8338d947efb7
SHA1 hash: e65ce924cc391e97b54e5004c284da6dfb1c582f
MD5 hash: d3a2f88493e027bd046fc7e848520b85
humanhash: florida-pluto-cola-summer
File name:d3a2f88493e027bd046fc7e848520b85
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'591'680 bytes
First seen:2022-01-20 12:29:55 UTC
Last seen:2022-01-20 14:51:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:JuL4sBIrcnajzfqMFXOOfaYHNJr/Wuw50e:K4+IIUfRFxi2NtWu40e
TLSH T17EF533E1B7846B12D25CC3FF31820219EB59D7D827046AF6F3940703E9939BA86562DF
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221086/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e955d30f8c757253d07f41/reports/40a06997-ba4d-4a0d-9145-3fcf34b0cf4f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9312a33e-20b0-494e-a44f-72996d908c1c
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924325
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556799 Sample: bw7D4IigL8 Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 97 pool.supportxmr.com 2->97 99 pool-nyc.supportxmr.com 2->99 107 Malicious sample detected (through community Yara rule) 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected RedLine Stealer 2->111 113 5 other signatures 2->113 12 bw7D4IigL8.exe 2->12         started        15 vysertbg.exe 2->15         started        18 svchost.exe 3 4 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 149 Writes to foreign memory regions 12->149 151 Allocates memory in foreign processes 12->151 153 Injects a PE file into a foreign processes 12->153 22 AppLaunch.exe 15 7 12->22         started        27 WerFault.exe 23 9 12->27         started        95 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 15->95 dropped 155 Antivirus detection for dropped file 15->155 157 Sample is not signed and drops a device driver 15->157 29 sihost64.exe 15->29         started        31 cmd.exe 15->31         started        33 WerFault.exe 18->33         started        35 svchost.exe 18->35         started        37 conhost.exe 20->37         started        signatures6 process7 dnsIp8 101 github.com 140.82.121.4, 443, 49763 GITHUBUS United States 22->101 103 2.56.56.131, 49757, 81 GBTCLOUDUS Netherlands 22->103 105 2 other IPs or domains 22->105 87 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 22->87 dropped 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->121 123 Tries to harvest and steal browser information (history, passwords, etc) 22->123 125 Tries to steal Crypto Currency Wallets 22->125 39 build.exe 4 22->39         started        89 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->89 dropped 127 Writes to foreign memory regions 29->127 129 Allocates memory in foreign processes 29->129 131 Creates a thread in another existing process (thread injection) 29->131 43 conhost.exe 29->43         started        133 Encrypted powershell cmdline option found 31->133 45 conhost.exe 31->45         started        47 powershell.exe 31->47         started        49 powershell.exe 31->49         started        file9 signatures10 process11 file12 91 C:\Users\user\AppData\Roaming\vysertbg.exe, PE32+ 39->91 dropped 135 Antivirus detection for dropped file 39->135 51 cmd.exe 39->51         started        53 cmd.exe 1 39->53         started        56 cmd.exe 39->56         started        signatures13 process14 signatures15 58 vysertbg.exe 51->58         started        62 conhost.exe 51->62         started        115 Encrypted powershell cmdline option found 53->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 53->117 64 powershell.exe 21 53->64         started        66 conhost.exe 53->66         started        68 powershell.exe 53->68         started        70 conhost.exe 56->70         started        72 schtasks.exe 56->72         started        process16 file17 93 C:\Users\user\AppData\...\sihost64.exe, PE32+ 58->93 dropped 141 Injects code into the Windows Explorer (explorer.exe) 58->141 143 Writes to foreign memory regions 58->143 145 Allocates memory in foreign processes 58->145 147 Injects a PE file into a foreign processes 58->147 74 cmd.exe 58->74         started        77 sihost64.exe 58->77         started        79 explorer.exe 58->79         started        signatures18 process19 signatures20 137 Encrypted powershell cmdline option found 74->137 81 conhost.exe 74->81         started        83 powershell.exe 74->83         started        85 powershell.exe 74->85         started        139 Antivirus detection for dropped file 77->139 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-20 12:30:24 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxncylnbndctrf7lowapbl3obgeolsab5v3g26tukduxxgyab72a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220120-pphmjaaacm/
Unpacked files
SH256 hash:
56013b77a3c8629afafde0fd34b4f2c5ca0742a74d7b215fd2ffabb1f3cc01e1
MD5 hash:
ca5eca963de3304e5fcbf8115b5f890f
SHA1 hash:
8dadb4f1612b2a3edc61a35c7dc43ad2e352984a
Link:
https://www.unpac.me/results/14c76f3f-5a1b-43b9-a324-726f06827378/
SH256 hash:
a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4
MD5 hash:
d3a2f88493e027bd046fc7e848520b85
SHA1 hash:
e65ce924cc391e97b54e5004c284da6dfb1c582f
Link:
https://www.unpac.me/results/14c76f3f-5a1b-43b9-a324-726f06827378/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5da2c2da168/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221086/
  
URLhaus
https://urlhaus.abuse.ch/url/1992538/

Comments


Avatar
zbet commented on 2022-01-20 12:29:57 UTC

url : hxxp://coin-coin-file-9.com/files/9480_1642528431_5996.exe