MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2
SHA3-384 hash: 110cdc1914f462b1bc61826c9d403c462140f7193899082e432ab1d3154aed9c9cb1dd8fc3828263c7c8df8153d9bd55
SHA1 hash: c58bf2f049d6f3dd4bc626d3ffc937f13720e32b
MD5 hash: 3ac746ed378dcef916db643d7fe2674c
humanhash: venus-charlie-bacon-florida
File name:Setup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:811'837 bytes
First seen:2023-01-21 22:31:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4911d55129019d132ffed8928b2782b0 (1 x CoinMiner, 1 x ArkeiStealer)
ssdeep 12288:zF7Uq/mzw3kP/Ajw4ZrLpCXiqTp6om8iOc5L4tIV:zF7x+6M/AjwMdkiqTp6oliOcT
Threatray 1'667 similar samples on MalwareBazaar
TLSH T134059F5F3912967BCDC6AF7773954EB3B95C19290588CF32BEC7291C92382C428B5632
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a8e0b697e6cadaf2 (1 x CoinMiner, 1 x LummaStealer, 1 x Vidar)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-21 22:29:42 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/94752364-0460-4cea-aee9-e1c38829ef34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355461/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Changing a file
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62127/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shelma
Link:
https://www.filescan.io/uploads/63cc67e3447edb203a002674/reports/2469151f-7c30-47f9-92c1-dafaaecd348f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53c3d98d-316c-4a71-81c8-d8c794ae7ae2
Result
Threat name:
Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156315
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops executable to a common third party application directory
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 789047 Sample: Setup.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 66 pool.hashvault.pro 2->66 90 Snort IDS alert for network traffic 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 12 other signatures 2->96 9 Setup.exe 22 2->9         started        14 updater.exe 6 2->14         started        signatures3 process4 dnsIp5 70 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 9->70 72 github.com 140.82.121.3, 443, 49698 GITHUBUS United States 9->72 74 3 other IPs or domains 9->74 54 C:\Users\user\AppData\Local\...\777[1].exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\652[1].exe, PE32+ 9->56 dropped 58 C:\ProgramData\94187743631986520069.exe, PE32+ 9->58 dropped 60 C:\ProgramData\33417446518432835633.exe, PE32 9->60 dropped 98 Detected unpacking (creates a PE file in dynamic memory) 9->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->100 102 Self deletion via cmd or bat file 9->102 110 3 other signatures 9->110 16 94187743631986520069.exe 5 9->16         started        20 33417446518432835633.exe 1 9->20         started        23 cmd.exe 1 9->23         started        25 conhost.exe 9->25         started        62 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 14->62 dropped 64 C:\Users\user\AppData\...\sihost64.exe, PE32+ 14->64 dropped 104 Multi AV Scanner detection for dropped file 14->104 106 Detected unpacking (changes PE section rights) 14->106 108 Encrypted powershell cmdline option found 14->108 112 3 other signatures 14->112 27 sihost64.exe 14->27         started        29 powershell.exe 14->29         started        file6 signatures7 process8 dnsIp9 52 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 16->52 dropped 76 Multi AV Scanner detection for dropped file 16->76 78 Detected unpacking (changes PE section rights) 16->78 80 Encrypted powershell cmdline option found 16->80 82 Tries to detect virtualization through RDTSC time measurements 16->82 31 cmd.exe 1 16->31         started        34 powershell.exe 35 16->34         started        68 65.21.213.208, 3000, 49702 CP-ASDE United States 20->68 84 Machine Learning detection for dropped file 20->84 86 Tries to harvest and steal browser information (history, passwords, etc) 20->86 36 cmd.exe 1 20->36         started        38 conhost.exe 23->38         started        40 timeout.exe 1 23->40         started        88 Tries to evade debugger and weak emulator (self modifying code) 27->88 42 conhost.exe 29->42         started        file10 signatures11 process12 signatures13 114 Uses schtasks.exe or at.exe to add and modify task schedules 31->114 44 conhost.exe 31->44         started        46 schtasks.exe 1 31->46         started        48 conhost.exe 34->48         started        50 conhost.exe 36->50         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 22:32:07 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vunncmxxs6ie6pbi5ybrofzg7i4a4tvlwdharnmwqb62p7x6mtra._file
Verdict:
malicious
Similar samples:
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
CoinMiner
346ae48c6de340510a3db1fcf1a60d8c1b1b6892ef5242ed2e25c70097ed1e68
CoinMiner
43a80ac218836ddd131f7377d0bef4fca5c3a1eb3fe05a63c69ce283dc32931e
CoinMiner
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
CoinMiner
b05581b569877a8831833d9e42953286dab1b0f004c9ee895e6dc6faf89d61ac
CoinMiner
c40c39b2b06d97568c2a0bc156b5e7ba8c3bbd47286b883eb34d6fab43fdcaf8
CoinMiner
+ 1'657 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:vidar family:xmrig botnet:835 discovery evasion miner spyware stealer
Link:
https://tria.ge/reports/230121-2fx23sga7v/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Vidar
xmrig
Malware Config
C2 Extraction:
https://t.me/jetbim
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
c70d654d24d2435b7b7bdebaec045e182c0310c28100e99a2ab6a3f4aa83493b
MD5 hash:
7788ebab317b4c33474bd97ac646d73e
SHA1 hash:
421bac6a4edf64e60f9bceecc1f0d403ff85eb6f
Link:
https://www.unpac.me/results/f5956968-26cb-4f24-b841-bd8bede33654/
SH256 hash:
ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2
MD5 hash:
3ac746ed378dcef916db643d7fe2674c
SHA1 hash:
c58bf2f049d6f3dd4bc626d3ffc937f13720e32b
Link:
https://www.unpac.me/results/f5956968-26cb-4f24-b841-bd8bede33654/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/94752364-0460-4cea-aee9-e1c38829ef34
Cape
Cape
https://www.capesandbox.com/analysis/355461/

Comments