MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7
SHA3-384 hash:	8ad24f287044e99467a801d423365a5989028d865fc0f032a0dfc56c8bc59bf1a4c59143686d91e533c26a56dc1acc9e
SHA1 hash:	d98c5f05ee6b070fdabad179c2da15b9c4fcc2a8
MD5 hash:	98ded35046e38e4b7044323390c57f64
humanhash:	west-dakota-quiet-violet
File name:	98ded35046e38e4b7044323390c57f64.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	5'558'272 bytes
First seen:	2023-02-11 01:00:38 UTC
Last seen:	2023-02-11 02:29:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5fa851b72617ba71c133d33cdfe7c388 (1 x CoinMiner)
ssdeep	98304:HDuckjyhM3p/g5/XJfy7pheIYmYR9roAGMHvPVEeUqO:HDcjyhM25wOIYfzGutEeUqO
Threatray	171 similar samples on MalwareBazaar
TLSH	T172460136A7CDCC68E4401C3CD78199F693527C68EE8B0AE77BC1BE19B5399E41852BC4
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	b694e9e8d888e48c (1 x CoinMiner)
Reporter	abuse_ch
Tags:	CoinMiner exe

abuse_ch

CoinMiner C2:
193.233.20.12:4132

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

98ded35046e38e4b7044323390c57f64.exe

Verdict:

Malicious activity

Analysis date:

2023-02-11 01:01:32 UTC

Tags:

evasion opendir loader stealer trojan rat redline tofsee gcleaner

Link:

https://app.any.run/tasks/e0870236-e501-4238-9789-1cec11826da1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/363646/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65403578.10524.16872.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Modifying a system file

Replacing files

DNS request

Sending a custom TCP request

Launching a service

Launching a process

Sending an HTTP GET request

Reading critical registry keys

Creating a file

Sending a UDP request

Connecting to a non-recommended domain

Forced system process termination

Searching for synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Blocking the Windows Defender launch

Query of malicious DNS domain

Adding exclusions to Windows Defender

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo packed shell32.dll

Link:

https://www.filescan.io/uploads/63e6e8d0459bcf460400a5f0/reports/9aa16922-569a-46df-a444-cf8b10c8d797/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tofsee

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f8f7823-fc51-484a-bc50-8a2d8a91a976

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1171644

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Modifies Group Policy settings

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7/

Threat name:

Win32.Trojan.PrivateLoader

Status:

Malicious

First seen:

2023-02-07 19:26:11 UTC

File Type:

PE (Exe)

Extracted files:

229

AV detection:

19 of 39 (48.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yicr5waimalyy6isec32w5qnaohagci6jqbdswus53kk5i4hfltq._file

Verdict:

malicious

CoinMiner

2556187741452011a3b2a39cb9c8543e308f6d3d72fa7f5cc1112477551cce4d

CoinMiner

39c748040f01c934c73c23f4612cb33a0846219d8dd7ba3e0adbbc9d047027e4

CoinMiner

3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373

CoinMiner

6fb65aaabd2d911fb31722cbd1d41399ded20e0e1dfef8907b7c9317727d398f

CoinMiner

d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1

CoinMiner

dd6591db098a249805d23dea1f8c3bb79e2cb9a40a27cfaffaaf7b81042af622

CoinMiner

f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c

CoinMiner

+ 161 additional samples on MalwareBazaar

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader spyware stealer

Link:

https://tria.ge/reports/230211-bc75rsgb4w/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Drops file in System32 directory

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

PrivateLoader

Unpacked files

SH256 hash:

c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7

MD5 hash:

98ded35046e38e4b7044323390c57f64

SHA1 hash:

d98c5f05ee6b070fdabad179c2da15b9c4fcc2a8

Link:

https://www.unpac.me/results/70d55b01-310e-44b7-abe2-8688415bf2ed/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c2051ed80860/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	MALWARE_Win_DLInjector06 Create hunting rule
Author:	ditekSHen
Description:	Detects downloader / injector

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	privateloader Create hunting rule
Author:	andretavare5
Description:	PrivateLoader pay-per-install malware

Rule name:	Privateloader_Main_Component Create hunting rule
Description:	Detects PrivateLoader Main Component

Rule name:	TeslaCryptPackedMalware Create hunting rule

Rule name:	Windows_Trojan_PrivateLoader_96ac2734 Create hunting rule
Author:	Elastic Security

Rule name:	win_privateloader Create hunting rule

Rule name:	win_privateloader_w0 Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/363646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample