MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c
SHA3-384 hash: 56d6487cf3b00513a9f16dda136690aee46e1fe012fbe8f66e84e71d678f588e3d1ae0c8be5145408a132d098598fafb
SHA1 hash: 37a18d20313a05c987e9c2081994c6365c17624d
MD5 hash: fef580216c9fc6f662f11ad6c8dbd7eb
humanhash: mike-florida-speaker-west
File name:install.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:364'032 bytes
First seen:2021-10-14 21:09:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e6d410cb0ee9d4d9be8ad4e6fd75b64 (9 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:2AbAYfbpFzgLgESONKgTOrHfziqAOz/sqIMxDEx:2EAYfbpFzgLbSXNqM6
Threatray 100 similar samples on MalwareBazaar
TLSH T1B274BD1175A7CC76D47610358A78EAB90ABE68300B2F49EBF390567E8EB03C15533E97
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-14 21:07:48 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/32db8896-ff6c-40f4-8fce-993bd3220596

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197642/
Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03eff2f8-8e06-46ed-8ec7-2457ae01ef4e
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870789
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503217 Sample: install.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 135 Sigma detected: Xmrig 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 9 other signatures 2->141 14 install.exe 2->14         started        17 ghjgr.exe 2->17         started        19 services64.exe 2->19         started        21 4 other processes 2->21 process3 dnsIp4 197 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 14->197 199 Writes to foreign memory regions 14->199 201 Allocates memory in foreign processes 14->201 207 2 other signatures 14->207 24 RegSvcs.exe 15 8 14->24         started        203 Multi AV Scanner detection for dropped file 17->203 205 Creates a thread in another existing process (thread injection) 17->205 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        127 192.168.2.1 unknown unknown 21->127 signatures5 process6 dnsIp7 129 92.119.113.189, 21746, 49778 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 24->129 131 wbn.komaiasowu.ru 81.177.141.85, 49779, 80 RTCOMM-ASRU Russian Federation 24->131 133 4 other IPs or domains 24->133 125 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 24->125 dropped 177 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->177 179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->179 181 Tries to harvest and steal browser information (history, passwords, etc) 24->181 183 Tries to steal Crypto Currency Wallets 24->183 33 fl.exe 2 24->33         started        37 conhost.exe 24->37         started        39 sihost32.exe 29->39         started        41 cmd.exe 29->41         started        file8 signatures9 process10 file11 111 C:\Users\user\AppData\...\monero-cash.exe, PE32+ 33->111 dropped 113 C:\Users\user\AppData\Local\...\cashout.exe, PE32+ 33->113 dropped 143 Antivirus detection for dropped file 33->143 145 Multi AV Scanner detection for dropped file 33->145 147 Adds a directory exclusion to Windows Defender 33->147 43 cmd.exe 1 33->43         started        45 cmd.exe 1 33->45         started        47 cmd.exe 1 33->47         started        149 Writes to foreign memory regions 39->149 151 Allocates memory in foreign processes 39->151 153 Creates a thread in another existing process (thread injection) 39->153 50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        54 taskkill.exe 41->54         started        signatures12 process13 signatures14 56 monero-cash.exe 43->56         started        59 conhost.exe 43->59         started        61 cashout.exe 45->61         started        63 conhost.exe 45->63         started        209 Adds a directory exclusion to Windows Defender 47->209 65 powershell.exe 25 47->65         started        67 conhost.exe 47->67         started        69 powershell.exe 47->69         started        process15 signatures16 169 Multi AV Scanner detection for dropped file 56->169 171 Writes to foreign memory regions 56->171 173 Allocates memory in foreign processes 56->173 71 conhost.exe 56->71         started        175 Creates a thread in another existing process (thread injection) 61->175 74 conhost.exe 61->74         started        process17 file18 121 C:\Windows\System32\services64.exe, PE32+ 71->121 dropped 76 cmd.exe 71->76         started        79 cmd.exe 71->79         started        123 C:\Windows\System32\ghjgr.exe, PE32+ 74->123 dropped 81 cmd.exe 74->81         started        83 cmd.exe 74->83         started        process19 signatures20 185 Drops executables to the windows directory (C:\Windows) and starts them 76->185 85 services64.exe 76->85         started        88 conhost.exe 76->88         started        90 conhost.exe 79->90         started        92 schtasks.exe 79->92         started        94 ghjgr.exe 81->94         started        96 conhost.exe 81->96         started        187 Uses schtasks.exe or at.exe to add and modify task schedules 83->187 98 conhost.exe 83->98         started        100 schtasks.exe 83->100         started        process21 signatures22 155 Writes to foreign memory regions 85->155 157 Allocates memory in foreign processes 85->157 159 Creates a thread in another existing process (thread injection) 85->159 102 conhost.exe 85->102         started        106 conhost.exe 94->106         started        process23 file24 115 C:\Windows\System32\...\sihost64.exe, PE32+ 102->115 dropped 117 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 102->117 dropped 161 Drops executables to the windows directory (C:\Windows) and starts them 102->161 163 Writes to foreign memory regions 102->163 165 Modifies the context of a thread in another process (thread injection) 102->165 167 2 other signatures 102->167 108 sihost64.exe 102->108         started        119 C:\Windows\System32\...\sihost32.exe, PE32+ 106->119 dropped signatures25 process26 signatures27 189 Multi AV Scanner detection for dropped file 108->189 191 Writes to foreign memory regions 108->191 193 Allocates memory in foreign processes 108->193 195 Creates a thread in another existing process (thread injection) 108->195
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 11:31:19 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqafvwnnqqi73kbzqwlzkthe6qqqzf4dm74znyc44an3ukbttbwa._file
Verdict:
malicious
Similar samples:
008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b
CoinMiner
2f1e386982e2eec222d82dc5a03c52a9ad81b097058c896937feb47c1ee0525a
CoinMiner
5665cd84b24737ab956a4b5ec54036e229c9fbda702bdef89cae4c9a27198b8d
CoinMiner
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
CoinMiner
a4ea8ccb32a746e3315e35d366246545d6475dc48e8e43cf92da45bf5de0fe7f
CoinMiner
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
CoinMiner
fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336
CoinMiner
+ 90 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:@noilase infostealer miner spyware
Link:
https://tria.ge/reports/211014-zzfk2abaen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
92.119.113.189:21746
Unpacked files
SH256 hash:
cf4bdbeb5d32fd1cece23ca2f2be94b06b204e940a319671b5a349c40c468e7f
MD5 hash:
078ea041e12b0a7c37bbc694a0341ff8
SHA1 hash:
8dff96c866e7a29f243642edbc588c234609a738
Link:
https://www.unpac.me/results/347da1bd-dd7f-40d1-b8e7-ad3196c2a6a2/
SH256 hash:
cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c
MD5 hash:
fef580216c9fc6f662f11ad6c8dbd7eb
SHA1 hash:
37a18d20313a05c987e9c2081994c6365c17624d
Link:
https://www.unpac.me/results/347da1bd-dd7f-40d1-b8e7-ad3196c2a6a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc005ad9ad84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c

(this sample)

anyrun
any.run
https://app.any.run/tasks/32db8896-ff6c-40f4-8fce-993bd3220596
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197642/

Comments