MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3577a8531787f76d329800075a7d6e6033492e11a50ae8f1ce55bb6ad689f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3577a8531787f76d329800075a7d6e6033492e11a50ae8f1ce55bb6ad689f96
SHA3-384 hash: e9fff215692e03a298bbc84cc357a9b635547e2b41a20f8b175c5544cb54e8168e59b84898ff43124d1958a7e530bd01
SHA1 hash: 9bf2f46a7221f6aa9048151c529d9acaf9e3f047
MD5 hash: 0e815a68d06cbab734c61ed9f3df7528
humanhash: comet-neptune-dakota-table
File name:0e815a68d06cbab734c61ed9f3df7528.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'105'381 bytes
First seen:2022-04-07 10:26:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7af3fcc58a6937bb6482ae42b5c5baab (1 x CoinMiner, 1 x RedLineStealer)
ssdeep 49152:xHoOidch7dAZgpMBDtApq1cgqwCX7sUMvvmKsxaOONQWRgNajX3L5bLgZpuB:xH1R7dAZgpMBDtApq1cgqwCLsUMvvmKH
Threatray 4'844 similar samples on MalwareBazaar
TLSH T11EA5CF33D9AD81B1CC2126F19507069B6C2F99F871CFBDA2F30D1821D073A2D6497BA9
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
188.68.205.12:7053

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.68.205.12:7053 https://threatfox.abuse.ch/ioc/516999/

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0e815a68d06cbab734c61ed9f3df7528.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 10:48:55 UTC
Tags:
evasion trojan rat redline
Link:
https://app.any.run/tasks/3aa9702f-ea6c-4822-b522-fa589883e542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261690/
Detection(s):
SecuriteInfo.com.Variant.Zusy.419466.14678.24995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12988/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed zusy
Link:
https://www.filescan.io/uploads/624ebc79d53a7479dacd04de/reports/d7327005-87bd-4c69-8fc4-ddcaeba603bc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/942c9ab0-df16-45e7-bf76-590f1971c3f2
Result
Threat name:
LoaderBot RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972289
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LoaderBot
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 604774 Sample: CxPaZttu0J.exe Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 80 127.0.0.1 unknown unknown 2->80 82 xxx01xzb.beget.tech 91.106.207.25, 49771, 80 BEGET-ASRU Russian Federation 2->82 108 Sigma detected: Xmrig 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 20 other signatures 2->114 12 CxPaZttu0J.exe 1 2->12         started        signatures3 process4 process5 14 RegSvcs.exe 3 12->14         started        18 WerFault.exe 23 9 12->18         started        20 conhost.exe 12->20         started        file6 68 C:\Users\Public\M3gJNbpqWpct.exe, PE32 14->68 dropped 70 C:\Users\Public\BEgHvre3gJNc.exe, PE32 14->70 dropped 140 Drops PE files to the user root directory 14->140 142 Contains functionality to detect sleep reduction / modifications 14->142 22 BEgHvre3gJNc.exe 14 7 14->22         started        27 M3gJNbpqWpct.exe 5 14->27         started        72 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->72 dropped signatures7 process8 dnsIp9 84 ip-api.com 208.95.112.1, 49744, 49753, 49759 TUT-ASUS United States 22->84 86 checkip.eu-west-1.prod.check-ip.aws.a2z.com 54.76.187.137, 49743, 80 AMAZON-02US United States 22->86 90 3 other IPs or domains 22->90 58 C:\ProgramData\...\a4c3cc81.exe, PE32 22->58 dropped 60 C:\Users\user\AppData\...\tmpDD16.tmp.bat, DOS 22->60 dropped 118 Multi AV Scanner detection for dropped file 22->118 120 May check the online IP address of the machine 22->120 122 Machine Learning detection for dropped file 22->122 124 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 22->124 29 cmd.exe 1 22->29         started        88 188.68.205.12, 20861, 49751, 7053 ITNET33RU Russian Federation 27->88 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->128 130 Tries to harvest and steal browser information (history, passwords, etc) 27->130 132 Tries to steal Crypto Currency Wallets 27->132 file10 signatures11 process12 process13 31 a4c3cc81.exe 15 4 29->31         started        35 reg.exe 1 29->35         started        38 conhost.exe 29->38         started        40 timeout.exe 1 29->40         started        dnsIp14 92 5.188.119.76, 49754, 49765, 80 SELECTELRU Russian Federation 31->92 94 107.189.6.214, 49755, 49757, 49772 PONYNETUS United States 31->94 96 5 other IPs or domains 31->96 54 C:\Users\user\...\5b221c88ad6dd9c0.exe, PE32 31->54 dropped 56 C:\Users\user\...\559ea3a2b0a98b80.exe, PE32 31->56 dropped 42 5b221c88ad6dd9c0.exe 31->42         started        46 559ea3a2b0a98b80.exe 31->46         started        116 Creates an undocumented autostart registry key 35->116 file15 signatures16 process17 file18 62 C:\Users\Public\yuMBYoKlosa.exe, PE32 42->62 dropped 64 C:\Users\Public\ZH0OUCCaah2.exe, PE32 42->64 dropped 134 Antivirus detection for dropped file 42->134 136 Machine Learning detection for dropped file 42->136 138 Drops PE files to the user root directory 42->138 48 yuMBYoKlosa.exe 42->48         started        52 ZH0OUCCaah2.exe 42->52         started        66 C:\ProgramData\MinerFull.exe, PE32 46->66 dropped signatures19 process20 dnsIp21 74 ip-api.com 48->74 76 checkip.eu-west-1.prod.check-ip.aws.a2z.com 48->76 78 2 other IPs or domains 48->78 98 Multi AV Scanner detection for dropped file 48->98 100 May check the online IP address of the machine 48->100 102 Machine Learning detection for dropped file 48->102 104 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 48->104 106 Antivirus detection for dropped file 52->106 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3577a8531787f76d329800075a7d6e6033492e11a50ae8f1ce55bb6ad689f96/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 21:35:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynlxvbjrpb7xnuzjqaahlj6w4ybtjexbdjik5dy44vn3nllit6la._file
Verdict:
malicious
Similar samples:
2cef44b61ff47451356f3ae57bbd4d4540b856144ab8f8a2dc9fd9eb55c6cc2a
CoinMiner
495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f
CoinMiner
4b02abd00d897adf05a71a2b6bd6af5abe00908fb7a7267eba6affb2cd598b13
CoinMiner
a866fa02bf6f9324d6f3713ed1533e4f0262a29a50ab0734e03fe6ed52df11fd
CoinMiner
b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c
CoinMiner
b50d346307ef27c92bf6e5fda61bf060e00ab50119b50facb34cad30747f7c8e
CoinMiner
+ 4'834 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220407-mg4hxsegh3/
Unpacked files
SH256 hash:
dd96dd3fb9a841267ba7fdd9c6ee960f5c705763d34d3744299f2a74e7fa24f5
MD5 hash:
f7e0bc53f475f93c184b31409ca5539f
SHA1 hash:
e60ba555b7f4d5dc28d57b474e0e0c7554da2552
Link:
https://www.unpac.me/results/21192815-1b85-441e-abb9-ca6beb94c333/
SH256 hash:
356e4e6ba72cd92750e00ca7ee0016e53eddf4674d833afff6a17dabdb62cccd
MD5 hash:
dd98a38572264302a031491ab1609399
SHA1 hash:
1289dd899d70e5d7dbc370a05d1fe7b6fd853e62
Link:
https://www.unpac.me/results/21192815-1b85-441e-abb9-ca6beb94c333/
SH256 hash:
c3577a8531787f76d329800075a7d6e6033492e11a50ae8f1ce55bb6ad689f96
MD5 hash:
0e815a68d06cbab734c61ed9f3df7528
SHA1 hash:
9bf2f46a7221f6aa9048151c529d9acaf9e3f047
Link:
https://www.unpac.me/results/21192815-1b85-441e-abb9-ca6beb94c333/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3577a8531787f76d329800075a7d6e6033492e11a50ae8f1ce55bb6ad689f96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261690/

Comments