MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281
SHA3-384 hash: e93778bda73774cd48222bf7e016709c8822c302ad9657a486ec1a7d961768de75e29784b8f7006c9ef263f6389a9879
SHA1 hash: c2ae1893ec2398718f6584ffea09186ccf6a8a37
MD5 hash: 965514665932fee91f048e3c6e462d37
humanhash: ohio-robin-video-diet
File name:33114353.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'483'776 bytes
First seen:2022-03-21 06:25:09 UTC
Last seen:2022-03-21 08:06:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 24576:m5JFQjXDpaRltXk+xTX3Ds/Dc/h/G6Z5/hqpvRiOfvJmW+JG0wQkEaHNYK3PzCov:8JFQjXD2H7TDsbmxFthivIOfvR+Y0wQy
Threatray 1'884 similar samples on MalwareBazaar
TLSH T147653311B744EBFAFE8F07B5C674386192EA649396D4B99FBC516F002BD442E7E08213
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253253/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
Reading critical registry keys
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62381a7fb94fb38cb4c087c0/reports/2462d878-7ea0-46e6-a5bb-a3f82f6e1cfc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfd9ad19-07a7-4ef0-9b2d-cc109b31c665
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961041
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 06:26:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6oyfjgwppvzaw7pvqsgmxglo2waxso6hehdgwvtsmdsyxbx2kaq._file
Verdict:
malicious
Similar samples:
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
1fca453f1f9a6acf20ba5a9828178d70426e7f8e58ec6116f2aacf96053e0037
CoinMiner
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
CoinMiner
3e1a6299d80d53a831c2e6759ce2ac41e6d9aa6603cb2a1df7efbfb86debefa5
CoinMiner
96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
CoinMiner
bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f
CoinMiner
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
CoinMiner
fe7e378c72ec43fca46360a46a8fc8c0d5ec0f4739ce3286610774fdec47edda
CoinMiner
+ 1'874 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:832628713_99 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/220321-g67c8ahed4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.87.218.50:3431
Unpacked files
SH256 hash:
e2b2034b41d945ae1dc48de29e709df705f732eaaccb3a74578c167653e2f767
MD5 hash:
14734716d2982c80eaec2f49c6a3ecee
SHA1 hash:
dcf979a9bf156b55851a837f79a0e69ba07aa253
Link:
https://www.unpac.me/results/2e59436b-b53f-43b3-8a0d-84f25aa01bb9/
SH256 hash:
ead1cfebfaa1c1e86808ed7fcd770d3ffb1786a567f1844592d7c568218c29d0
MD5 hash:
80a392fc6fd39ff74b67d1e98c535756
SHA1 hash:
f833d0d2c64285691c4e8a8c76bfa3f67713a190
Link:
https://www.unpac.me/results/2e59436b-b53f-43b3-8a0d-84f25aa01bb9/
SH256 hash:
cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281
MD5 hash:
965514665932fee91f048e3c6e462d37
SHA1 hash:
c2ae1893ec2398718f6584ffea09186ccf6a8a37
Link:
https://www.unpac.me/results/2e59436b-b53f-43b3-8a0d-84f25aa01bb9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cf9d82a4d67b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253253/

Comments