MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e27f70d33fce7c036f221ce6b2249b63eb465b1c0abdfcbeea0f7585884448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	b2e27f70d33fce7c036f221ce6b2249b63eb465b1c0abdfcbeea0f7585884448
SHA3-384 hash:	f91c3643f3a064e3e8aa4b4b397c4435d5c9e47576fd4cf1b96d60201f3565bca0f0a4afd474257d6f974087056cb4e7
SHA1 hash:	714836c9f597cd6dadc298ed6b6d37ecbcc01d78
MD5 hash:	79f0563e8beba230c5d49f8eae0340fa
humanhash:	alabama-river-seven-dakota
File name:	79f0563e8beba230c5d49f8eae0340fa.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	3'142'656 bytes
First seen:	2021-10-10 11:50:25 UTC
Last seen:	2021-10-10 13:01:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:QsiiklBiRfX9/GZDCBywJgqfbcuXgzKHpsIb0ssmTFJdAHT:H9YoR5UDwbHgY6Ibs
Threatray	7'146 similar samples on MalwareBazaar
TLSH	T1F5E5CF053D4FCA52CCAD09FCA83BD6A453577D40ACACE0B3F57A73AB1A307079666249
Reporter	abuse_ch
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

615710_IDM-Crack-639-B.zip

Verdict:

Malicious activity

Analysis date:

2021-10-09 21:02:24 UTC

Tags:

trojan loader evasion rat redline stealer opendir vidar raccoon

Link:

https://app.any.run/tasks/13d4e750-c8dd-4743-b7c5-dc53e159683d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196377/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.20509.15055.31196.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6162d3aa1c2d58ba74ff5e30/reports/5f4b75ed-0d05-415e-856b-3bcb6d0ed85a/overview

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b2e27f70d33fce7c036f221ce6b2249b63eb465b1c0abdfcbeea0f7585884448/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-10-10 01:49:35 UTC

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

CoinMiner

0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58

CoinMiner

5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2

CoinMiner

9136c982fe9d870f6199002d9509f242b4a5df661f81553fd9ecbc7389e924e4

CoinMiner

b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a

CoinMiner

c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18

CoinMiner

e022f21e50f96a61c49f398c2f8e9e34be36be5d2bdddaa391fec53d992091b5

CoinMiner

e371f0c9caa5fcc9a9698f9de2a40d815e22db19b37454781450633249b84dc4

CoinMiner

f5ad5f72cdd46c72b9272c1df0a4294a5bbf7ff8857b603147ab4478773124d3

CoinMiner

+ 7'136 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig discovery evasion miner spyware stealer themida trojan

Link:

https://tria.ge/reports/211010-nz6xfafge9/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner Payload

xmrig

Malware Config

Dropper Extraction:

https://bitbucket.org/law228/law/downloads/bandit.exe
https://bitbucket.org/law228/law/downloads/monero-bandit.exe

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b2e27f70d33f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/b2e27f70d33fce7c036f221ce6b2249b63eb465b1c0abdfcbeea0f7585884448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)