MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae
SHA3-384 hash: 2b68d53afa49afb6cecdaa1dd897e03b373392a9e9f00d44f7491d75593ba6effb6c4239bf1b2e69034c3ad284ea98bf
SHA1 hash: 91d761cce10dea06acb576ef2be7ed655563d20b
MD5 hash: 1e57ca4d726e10652381a695ee136694
humanhash: video-florida-double-kilo
File name:1e57ca4d726e10652381a695ee136694
Download: download sample
Signature CoinMiner
Create hunting rule
File size:294'760 bytes
First seen:2023-09-29 11:17:30 UTC
Last seen:2023-09-29 11:47:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:xEhR4AXofIUgUXdV45LKHD947M+0abu3QWXdDbJFE5sU+V:x4R4A4fI6jM0AIDEOUA
TLSH T1DB54012575FC8DE3EDA3CAF4BA94EC5285F3930E2B07D8A55C8D42C138395827A63D19
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 CoinMiner exe signed

Code Signing Certificate

Organisation:gofile Inc
Issuer:gofile Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-29T00:43:06Z
Valid to:2024-09-29T00:43:06Z
Serial number: c3b18262b701d6ce097bdd4f1904e9a5
Thumbprint Algorithm:SHA256
Thumbprint: db7befde828da071fdbe2a50c77f782546f0a9b456df5bc369abd50e716ebc98
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://umutsoydinc.com/wp-admin/network/zip.7z
Verdict:
Malicious activity
Analysis date:
2023-09-29 16:36:56 UTC
Tags:
privateloader opendir evasion loader risepro stealer redline stealc tofsee botnet smoke amadey trojan ransomware stop gcleaner miner onlylogger fabookie g0njxa
Link:
https://app.any.run/tasks/b34a6bb5-895f-4166-8b50-bd0df09b9607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451888/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14571.29854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Blocking the User Account Control
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6516b26c4a9bd894f599a9aa/reports/c54ea879-85be-4e8b-8b11-4199c996088a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/691944dc-e0e4-44d4-86d2-da84be247c6d
Result
Threat name:
Amadey, Fabookie, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316395
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316395 Sample: vfXIX65NT5.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 176 Multi AV Scanner detection for domain / URL 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 19 other signatures 2->182 12 vfXIX65NT5.exe 2 4 2->12         started        15 powershell.exe 2->15         started        17 DigitalPulseUpdate.exe 2->17         started        process3 dnsIp4 198 Writes to foreign memory regions 12->198 200 Allocates memory in foreign processes 12->200 202 Adds a directory exclusion to Windows Defender 12->202 204 2 other signatures 12->204 20 InstallUtil.exe 15 198 12->20         started        25 powershell.exe 21 12->25         started        27 conhost.exe 15->27         started        148 3.98.215.151 AMAZON-02US United States 17->148 150 35.182.67.195 AMAZON-02US United States 17->150 signatures5 process6 dnsIp7 152 85.217.144.143 WS171-ASRU Bulgaria 20->152 154 50.6.138.20 UNIFIEDLAYER-AS-1US United States 20->154 156 28 other IPs or domains 20->156 102 C:\Users\...\yQIEDvV2buh67ltQe14Bvztt.exe, PE32 20->102 dropped 104 C:\Users\...\yF8Ia0ZGIDKMCGWjlwcOrqN8.exe, PE32 20->104 dropped 106 C:\Users\...\wqWi7sUkI1LTlSKWUGeJnDYe.exe, PE32 20->106 dropped 108 173 other malicious files 20->108 dropped 184 Drops script or batch files to the startup folder 20->184 186 Writes many files with high entropy 20->186 29 GJS1tzDrBSsfDuWJNqz1ur9b.exe 20->29         started        34 Cx2qRuxgxsKpuu0tmzsnMQwF.exe 20->34         started        36 vKjj01oHatd6YKqCyPWRPlH7.exe 20->36         started        40 10 other processes 20->40 38 conhost.exe 25->38         started        file8 signatures9 process10 dnsIp11 164 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 29->164 166 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 29->166 172 15 other IPs or domains 29->172 130 C:\Users\...\zcoh1lS3SqtUBCceqeUr4Eq6.exe, PE32 29->130 dropped 132 C:\Users\...\v72gd_qhHcCVREj1Y1XgNlFY.exe, PE32 29->132 dropped 134 C:\Users\...\oDm9tpmz6apsLVGejIbkN5M9.exe, PE32 29->134 dropped 142 23 other malicious files 29->142 dropped 216 Query firmware table information (likely to detect VMs) 29->216 218 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->218 220 Creates HTML files with .exe extension (expired dropper behavior) 29->220 234 6 other signatures 29->234 136 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 34->136 dropped 222 Contains functionality to inject code into remote processes 34->222 42 nhdues.exe 34->42         started        144 2 other malicious files 36->144 dropped 224 Writes many files with high entropy 36->224 47 Install.exe 36->47         started        168 107.167.110.217 OPERASOFTWAREUS United States 40->168 170 107.167.125.189 OPERASOFTWAREUS United States 40->170 174 16 other IPs or domains 40->174 138 C:\Users\user\Pictures\360TS_Setup.exe.P2P, PE32 40->138 dropped 140 C:\Users\user\AppData\Local\...\360P2SP.dll, PE32 40->140 dropped 146 8 other malicious files 40->146 dropped 226 Contains functionality to steal Chrome passwords or cookies 40->226 228 Tries to harvest and steal browser information (history, passwords, etc) 40->228 230 Modifies the hosts file 40->230 232 Adds a directory exclusion to Windows Defender 40->232 49 cEfKiApzWeNgF2sXgEb4gaLA.tmp 40->49         started        file12 signatures13 process14 dnsIp15 162 193.42.32.29 EENET-ASEE Germany 42->162 110 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 42->110 dropped 112 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 42->112 dropped 114 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 42->114 dropped 116 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 42->116 dropped 206 Multi AV Scanner detection for dropped file 42->206 208 Creates an undocumented autostart registry key 42->208 210 Uses schtasks.exe or at.exe to add and modify task schedules 42->210 51 rundll32.exe 42->51         started        53 cmd.exe 42->53         started        55 schtasks.exe 42->55         started        57 rundll32.exe 42->57         started        118 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->118 dropped 59 Install.exe 47->59         started        120 C:\Users\user\AppData\...\unins000.exe (copy), PE32 49->120 dropped 122 C:\Users\user\AppData\...\is-V5C8F.tmp, PE32 49->122 dropped 124 C:\Users\user\AppData\...\is-NHBA7.tmp, PE32+ 49->124 dropped 126 4 other files (3 malicious) 49->126 dropped 63 _setup64.tmp 49->63         started        65 schtasks.exe 49->65         started        67 schtasks.exe 49->67         started        69 DigitalPulseService.exe 49->69         started        file16 signatures17 process18 dnsIp19 72 rundll32.exe 51->72         started        76 conhost.exe 53->76         started        90 6 other processes 53->90 78 conhost.exe 55->78         started        128 C:\Users\user\AppData\Local\...\xSUgkJm.exe, PE32 59->128 dropped 212 Modifies Windows Defender protection settings 59->212 214 Adds extensions / path to Windows Defender exclusion list 59->214 80 forfiles.exe 59->80         started        82 forfiles.exe 59->82         started        84 conhost.exe 63->84         started        86 conhost.exe 65->86         started        88 conhost.exe 67->88         started        158 3.98.219.138 AMAZON-02US United States 69->158 file20 signatures21 process22 dnsIp23 160 109.206.241.33 AWMLTNL Germany 72->160 188 System process connects to network (likely due to code injection or exploit) 72->188 190 Tries to steal Instant Messenger accounts or passwords 72->190 192 Tries to harvest and steal ftp login credentials 72->192 194 Tries to harvest and steal browser information (history, passwords, etc) 72->194 92 tar.exe 72->92         started        196 Adds extensions / path to Windows Defender exclusion list 80->196 94 conhost.exe 80->94         started        96 cmd.exe 80->96         started        98 conhost.exe 82->98         started        signatures24 process25 process26 100 conhost.exe 92->100         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 04:26:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zif64sshujgsgm265pdm5rrcedi2yiajiq6ekxgxpuh7bopyzoxa._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:privateloader family:smokeloader family:xmrig botnet:pub1 backdoor dropper evasion loader miner spyware stealer themida trojan upx
Link:
https://tria.ge/reports/230929-nd9q7shh3w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
PrivateLoader
SmokeLoader
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
http://app.nnnaajjjgc.com/check/safe
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
2c8761090992b4275b41e5c87a2eba9c9b94434ce55fd01815b0f2f24efd9e11
MD5 hash:
32fd2435be9da35c020476f37c679029
SHA1 hash:
95be11403e78fbe6073d274d2f27e88e2f811198
Link:
https://www.unpac.me/results/cf56e184-51e5-4b9e-bb93-618610a480fc/
SH256 hash:
ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae
MD5 hash:
1e57ca4d726e10652381a695ee136694
SHA1 hash:
91d761cce10dea06acb576ef2be7ed655563d20b
Link:
https://www.unpac.me/results/cf56e184-51e5-4b9e-bb93-618610a480fc/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca0bee4a47a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ca0bee4a47a24d23335eebc6cec62220d1ac2009443c455cd77d0ff0b9f8cbae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2713195/
Cape
Cape
https://www.capesandbox.com/analysis/451888/
  
URLhaus
https://urlhaus.abuse.ch/url/2715114/

Comments


Avatar
zbet commented on 2023-09-29 11:17:31 UTC

url : hxxp://193.42.32.101/files/UMM.exe