MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7bd8900ecae8ea0a3a4ebee38692c1ebdd89642fae0830e45827672801ce32d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7bd8900ecae8ea0a3a4ebee38692c1ebdd89642fae0830e45827672801ce32d
SHA3-384 hash: 2ba63cce71ebc85afdb3b2a583fd2f9d536f166083cab94a0e88dfbda02edc51a1071823810632f0ceae4269a5c9ce20
SHA1 hash: 3d2a9ce2271a73c34613da0bc2562db14e678c31
MD5 hash: ae8e572f597fef67ca43ddeb8f9118a4
humanhash: november-idaho-chicken-monkey
File name:ae8e572f597fef67ca43ddeb8f9118a4.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:625'136 bytes
First seen:2022-08-18 20:25:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6096dd6ea1e48bdf90acec78e58f9547 (2 x RecordBreaker, 1 x CoinMiner)
ssdeep 12288:C6c16Ji6i3Cjg+29KeZhAn0bZs831oT0V9wr3EdrHCeDlu8wxqesPoFaGZV:lc16g6i3CjgPg631ooV9wrMdD9PoFfV
TLSH T1A6D49D1134C1C032D67334324AA9E6B55ABEB4711F2246EFA3D8167E5F349E16F3262B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://46.3.199.52/1secure/Wordpress/50bigload0/7javascriptPython/Pipe/Apidefaultexternalmariadb/Multipipe/Php3Tracklocal/linevoiddb/1_7/Central/9Publicdle/Protonupdate/temp/Privatebaselongpoll/Vm9/Better/Proton/LowGeoTestcdn.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://46.3.199.52/1secure/Wordpress/50bigload0/7javascriptPython/Pipe/Apidefaultexternalmariadb/Multipipe/Php3Tracklocal/linevoiddb/1_7/Central/9Publicdle/Protonupdate/temp/Privatebaselongpoll/Vm9/Better/Proton/LowGeoTestcdn.php https://threatfox.abuse.ch/ioc/844003/

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ae8e572f597fef67ca43ddeb8f9118a4.exe
Verdict:
No threats detected
Analysis date:
2022-08-18 20:27:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b62c4fa-851c-4884-987a-da3890691057

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299670/
Detection(s):
SecuriteInfo.com.Variant.Lazy.233664.5537.23354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29441/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62fea0d6eeda089236a2b8d1/reports/8ed540ea-465a-4ea0-96e6-d9fb369d088a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afd95372-0a3b-44cc-a1c6-6d3e5da0d0fe
Result
Threat name:
Phoenix Stealer, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1054043
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Phoenix Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 686556 Sample: 4fkCS2In3P.exe Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 71 installslab291nsqioe4af.xyz 2->71 73 api.ip.sb 2->73 75 2 other IPs or domains 2->75 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 10 other signatures 2->89 10 4fkCS2In3P.exe 1 2->10         started        13 whfbtjb 2->13         started        signatures3 process4 signatures5 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Injects a PE file into a foreign processes 10->103 15 AppLaunch.exe 10->15         started        18 WerFault.exe 23 11 10->18         started        21 conhost.exe 10->21         started        process6 file7 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->121 123 Maps a DLL or memory area into another process 15->123 125 Checks if the current machine is a virtual machine (disk enumeration) 15->125 127 Creates a thread in another existing process (thread injection) 15->127 23 explorer.exe 22 15->23 injected 59 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->59 dropped signatures8 process9 dnsIp10 77 installslab291nsqioe4af.xyz 185.106.93.23, 49723, 49727, 49734 SUPERSERVERSDATACENTERRU Russian Federation 23->77 79 belladama.fr 207.174.214.200, 443, 49728, 49733 PUBLIC-DOMAIN-REGISTRYUS United States 23->79 81 5 other IPs or domains 23->81 63 C:\Users\user\AppData\Roaming\whfbtjb, PE32 23->63 dropped 65 C:\Users\user\AppData\Local\Temp31A.exe, PE32 23->65 dropped 67 C:\Users\user\AppData\Local\Temp\CB5B.exe, PE32 23->67 dropped 69 8 other files (7 malicious) 23->69 dropped 91 System process connects to network (likely due to code injection or exploit) 23->91 93 Benign windows process drops PE files 23->93 95 Performs DNS queries to domains with low reputation 23->95 97 3 other signatures 23->97 28 96FB.exe 1 23->28         started        31 A573.exe 1 23->31         started        33 C9B.exe 23->33         started        35 6 other processes 23->35 file11 signatures12 process13 file14 105 Antivirus detection for dropped file 28->105 107 Multi AV Scanner detection for dropped file 28->107 109 Machine Learning detection for dropped file 28->109 111 Contains functionality to inject code into remote processes 28->111 38 RegSvcs.exe 2 28->38         started        40 conhost.exe 28->40         started        113 Writes to foreign memory regions 31->113 115 Allocates memory in foreign processes 31->115 117 Injects a PE file into a foreign processes 31->117 42 RegSvcs.exe 2 31->42         started        44 conhost.exe 31->44         started        119 Tries to detect virtualization through RDTSC time measurements 33->119 46 conhost.exe 33->46         started        61 C:\Users\user\AppData\Local\...\Update.exe, PE32 35->61 dropped 48 Update.exe 6 35->48         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        55 conhost.exe 35->55         started        signatures15 process16 file17 57 C:\Users\user\AppData\Local\...\Update.exe, PE32 48->57 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7bd8900ecae8ea0a3a4ebee38692c1ebdd89642fae0830e45827672801ce32d/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-16 02:32:53 UTC
File Type:
PE (Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y66ysahmv2hkbi5e5pxdq2jmd265rfsc7lqigdsfqj3hfaa44mwq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220818-y7txysbdcp/
Unpacked files
SH256 hash:
166d565c2ecd4b881eea796fd9d88f736ba66c4b2dfdc6a36957604747a2e979
MD5 hash:
e0161a1328a28465f46a84fc583dfae8
SHA1 hash:
f3da970959dc25df1829b6156eb753ac7a229718
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ed5af2a0-caf0-49ba-b449-5ffaf354c4cc/
SH256 hash:
c7bd8900ecae8ea0a3a4ebee38692c1ebdd89642fae0830e45827672801ce32d
MD5 hash:
ae8e572f597fef67ca43ddeb8f9118a4
SHA1 hash:
3d2a9ce2271a73c34613da0bc2562db14e678c31
Link:
https://www.unpac.me/results/ed5af2a0-caf0-49ba-b449-5ffaf354c4cc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7bd8900ecae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c7bd8900ecae8ea0a3a4ebee38692c1ebdd89642fae0830e45827672801ce32d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299670/

Comments