MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
SHA3-384 hash: 2dbfee055a67fe168bcd45b07a179dfab3a03ac259011a2ca472920a641c644c718a735e5e03f230acea4632b4aa06cb
SHA1 hash: 3266d2f320b9fa50051570da99e7ed62046e2203
MD5 hash: 4554b2e507e6c89c9a7d51097f2f155f
humanhash: wisconsin-hawaii-blossom-high
File name:4554b2e507e6c89c9a7d51097f2f155f
Download: download sample
Signature CoinMiner
Create hunting rule
File size:340'480 bytes
First seen:2021-10-20 12:59:57 UTC
Last seen:2021-10-20 16:10:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a88739b00d2f75a49bbb4078e077ebf (1 x CoinMiner, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 3072:NC7BSM9qPJ5nlqHBJR4RAHjxT0uRdDh/SQgnSpI/7C4YmIBPoeWUNSJ/Hf9ArjxE:NHUR/DiuFZudzCvvPSJ/HfmoIZ0AMz
Threatray 5'067 similar samples on MalwareBazaar
TLSH T126748C10AAA0C039F1F752F8597A93ACB93E7EA16B2590CF52D416EE47346E1EC31317
File icon (PE):PE icon
dhash icon aad8ac9cc6e68ee0 (12 x RedLineStealer, 6 x RaccoonStealer, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198843/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5496.1814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/617012d5db358dd15ec74add/reports/475a6f2d-ca99-4a27-a8a2-35902dd71c7f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/081db110-ef13-4025-98ca-a9a35dcba28b
Result
Threat name:
Amadey RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873903
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadey bot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 506331 Sample: fxeAD9mymt Startdate: 20/10/2021 Architecture: WINDOWS Score: 100 88 za.sunstart.site 2->88 90 uytjh.draculaaaa.site 2->90 92 6 other IPs or domains 2->92 106 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Antivirus detection for URL or domain 2->110 112 15 other signatures 2->112 11 fxeAD9mymt.exe 2->11         started        14 cviscva 2->14         started        16 dfzokgct.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 146 Detected unpacking (changes PE section rights) 11->146 20 fxeAD9mymt.exe 11->20         started        148 Machine Learning detection for dropped file 14->148 150 Contains functionality to inject code into remote processes 14->150 152 Injects a PE file into a foreign processes 14->152 23 cviscva 14->23         started        154 Detected unpacking (overwrites its own PE header) 16->154 156 Changes security center settings (notifications, updates, antivirus, firewall) 18->156 25 MpCmdRun.exe 1 18->25         started        process6 signatures7 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->138 140 Maps a DLL or memory area into another process 20->140 142 Checks if the current machine is a virtual machine (disk enumeration) 20->142 27 explorer.exe 10 20->27 injected 144 Creates a thread in another existing process (thread injection) 23->144 32 conhost.exe 25->32         started        process8 dnsIp9 100 37.1.195.84, 49813, 80 LEASEWEB-DE-FRA-10DE Ukraine 27->100 102 192.162.246.70, 49764, 80 DATACHEAP-LLC-ASRU Russian Federation 27->102 104 5 other IPs or domains 27->104 78 C:\Users\user\AppData\Roaming\jhiscva, PE32 27->78 dropped 80 C:\Users\user\AppData\Roaming\cviscva, PE32 27->80 dropped 82 C:\Users\user\AppData\Local\Temp74A.exe, PE32 27->82 dropped 84 10 other malicious files 27->84 dropped 158 System process connects to network (likely due to code injection or exploit) 27->158 160 Benign windows process drops PE files 27->160 162 Deletes itself after installation 27->162 164 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->164 34 9D58.exe 1 27->34         started        38 B6CD.exe 27->38         started        41 87DB.exe 3 27->41         started        43 2 other processes 27->43 file10 signatures11 process12 dnsIp13 66 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 34->66 dropped 114 DLL reload attack detected 34->114 116 Detected unpacking (changes PE section rights) 34->116 118 Machine Learning detection for dropped file 34->118 136 5 other signatures 34->136 94 mas.to 88.99.75.82, 443, 49829, 49856 HETZNER-ASDE Germany 38->94 96 65.108.80.190, 49832, 49857, 80 ALABANZA-BALTUS United States 38->96 68 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 38->68 dropped 70 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 38->70 dropped 72 C:\Users\user\AppData\...\freebl3[1].dll, PE32 38->72 dropped 76 9 other files (none is malicious) 38->76 dropped 120 Detected unpacking (overwrites its own PE header) 38->120 122 Tries to harvest and steal browser information (history, passwords, etc) 38->122 124 Tries to steal Crypto Currency Wallets 38->124 98 93.115.20.139, 28978, 49847 MVPShttpswwwmvpsnetEU Romania 41->98 126 Query firmware table information (likely to detect VMs) 41->126 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->128 130 Hides threads from debuggers 41->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 41->132 45 conhost.exe 41->45         started        74 C:\Users\user\AppData\Local\...\dfzokgct.exe, PE32 43->74 dropped 134 Injects a PE file into a foreign processes 43->134 47 cmd.exe 1 43->47         started        50 cmd.exe 2 43->50         started        52 sc.exe 1 43->52         started        54 3 other processes 43->54 file14 signatures15 process16 file17 86 C:\Windows\SysWOW64\...\dfzokgct.exe (copy), PE32 47->86 dropped 56 conhost.exe 47->56         started        58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        62 conhost.exe 54->62         started        64 conhost.exe 54->64         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 13:00:07 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xybswzk5tkjv7pfiq6w7yxshqcc3pvsmszzayv62q4gc2rr63caq._file
Verdict:
malicious
Similar samples:
1561d6849d0b3394ab23968ba921e3c9af313ecf90cf2911b64889536c080dd4
CoinMiner
49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b
CoinMiner
6ce593e9aa59ebf1c4e6763b626669a4d24a32dc1183b85c6586c8d949a9e024
CoinMiner
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
CoinMiner
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
CoinMiner
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
CoinMiner
f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
CoinMiner
ff9460e1f512fe522007f82dcec1da7a6186106f4b2833c51de5d873b8986dd4
CoinMiner
+ 5'057 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:1029 botnet:706 botnet:7ebf9b416b72a203df65383eec899dc689d2c3d7 botnet:install backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211020-p8nb5ahag4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Amadey
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://gejajoo7.top/
http://sysaheu9.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
quadoil.ru
lakeflex.ru
https://mas.to/@xeroxxx
176.9.244.86:23637
185.215.113.45/g4MbvE/index.php
Unpacked files
SH256 hash:
097906bdec7fecaf49605e0c5fb1386352f41def3e81499cb73c72628662426e
MD5 hash:
e227480c64c0fcf5ec29f2747c84d2b8
SHA1 hash:
28a8e6758353d14f9d3fd69a0057ee43b27661c2
Link:
https://www.unpac.me/results/2719ffc5-662e-4888-9ba3-16f51bcded3b/
SH256 hash:
be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
MD5 hash:
4554b2e507e6c89c9a7d51097f2f155f
SHA1 hash:
3266d2f320b9fa50051570da99e7ed62046e2203
Link:
https://www.unpac.me/results/2719ffc5-662e-4888-9ba3-16f51bcded3b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/be032b655d9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198843/
  
URLhaus
https://urlhaus.abuse.ch/url/1699497/

Comments


Avatar
zbet commented on 2021-10-20 12:59:58 UTC

url : hxxp://privacytoolzforyou-5000.top/downloads/toolspab2.exe