MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc7889a9e4581fcd9c2c41d0e1b2e1a2009340989eba26c269153bdb6313c113. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments 1

SHA256 hash:	cc7889a9e4581fcd9c2c41d0e1b2e1a2009340989eba26c269153bdb6313c113
SHA3-384 hash:	366f881d29b2f2c37871462df0b83a930c0eea29b820b57ad81ceefd39e7aea5a9a3941409848c863f5ce6f314d49d82
SHA1 hash:	16cea83883f237deb31d31420dbba95515da8d7c
MD5 hash:	e6e789539c112e5a52826dc21a078de5
humanhash:	wyoming-delaware-minnesota-emma
File name:	e6e789539c112e5a52826dc21a078de5
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	3'644'208 bytes
First seen:	2022-01-26 15:03:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep	98304:YOPKH4FqmxX2z+R64jX3uDZ02BWt+L7Y0viV1us2NfiOyFKFv:JqmxXtR64r80Vtq8ZVuveKFv
Threatray	1'025 similar samples on MalwareBazaar
TLSH	T1DEF53369FC512668F61E6E3534808227AC7CDDCCBAB585F025A8E031D7E09E2DF94277
Reporter	zbetcheckin
Tags:	32 CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e6e789539c112e5a52826dc21a078de5

Verdict:

Malicious activity

Analysis date:

2022-01-27 01:47:52 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e623fd79-8587-46a9-bde5-c532425928ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/223405/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Packed.Pwsx-9937513-0

Win.Packed.Pwsx-9937517-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61f162ead73ca9d4648dd7c7/reports/4264f539-d354-4ec8-bea8-91636ca2f673/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ff30172-01e6-459b-8cc1-76245ed5a82c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928020

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc7889a9e4581fcd9c2c41d0e1b2e1a2009340989eba26c269153bdb6313c113/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2022-01-26 03:57:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 43 (67.44%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zr4itkpelap43hbmihiodmxbuiajgqeyt25cnqtjcu55wyytyejq._file

Verdict:

malicious

CoinMiner

3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e

CoinMiner

422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535

CoinMiner

44e612077d6910fcd7524c6c87029aff62842eef075f0d6061cf4b84a677df30

CoinMiner

87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56

CoinMiner

a9eb984c9de2d2d061babaaec8c15a04895af2cc0653d044f7092ba73013da5b

CoinMiner

b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94

CoinMiner

fde5ae51e9d386cb7a78da447c48101a50f543faffd5a9929451249bcce654c8

CoinMiner

+ 1'015 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220126-sfljlsefh3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

bcc2159d28ff126fddd901c65edc31ec78993d82ff8675953ce7cfe5db6d3d7a

MD5 hash:

5168c298b1e8ee1fbb4346c75331e983

SHA1 hash:

d0001e028025b4a32df8d5ebe9ff8fc424f7bdcc

Link:

https://www.unpac.me/results/cbf69f6d-07bd-487f-8b5b-32d54b963010/

SH256 hash:

cc7889a9e4581fcd9c2c41d0e1b2e1a2009340989eba26c269153bdb6313c113

MD5 hash:

e6e789539c112e5a52826dc21a078de5

SHA1 hash:

16cea83883f237deb31d31420dbba95515da8d7c

Link:

https://www.unpac.me/results/cbf69f6d-07bd-487f-8b5b-32d54b963010/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cc7889a9e458/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CoinMiner

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/cc7889a9e4581fcd9c2c41d0e1b2e1a2009340989eba26c269153bdb6313c113

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/