MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
SHA3-384 hash:	d83c5837448615ea18582ecfee85b8aa67ebae8ab2a7b185f9f7accf812316768d99dd4670065510f8186b23ce06e960
SHA1 hash:	69ecd0eb3d7e37a148ab5e89c225af2cd566f6ab
MD5 hash:	4256b2cb5a9af7923d2b9bd7fb2a3767
humanhash:	floor-oregon-wyoming-massachusetts
File name:	14294310.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	569'856 bytes
First seen:	2022-03-18 05:00:57 UTC
Last seen:	2022-03-18 06:36:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	12288:xWuLrsJWu/qkXjnx/ey6fLQS03ULaHNqrxlKIQNorv1UqsP5gr5a6pjW:xWuUfF+LkEaHNYK3obsijpjW
Threatray	1'738 similar samples on MalwareBazaar
TLSH	T12DC42311D300B64CE54BBA791FF3378B9D191337A1E8E0AED0768A5745F048BEB1A276
Reporter	adm1n_usa32
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

setup_x86_x64_install.bin (2).zip

Verdict:

Malicious activity

Analysis date:

2022-03-07 14:27:31 UTC

Tags:

evasion trojan socelars stealer loader rat redline opendir phishing vidar

Link:

https://app.any.run/tasks/9fd196b6-cb96-43d9-a5e8-0a37b0a956b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/252242/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Query of malicious DNS domain

Blocking the Windows Defender launch

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/623412130cd58dbd92b3ebc0/reports/36d4387d-b9e5-40de-ab6e-614759a4ffb8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/19972dc2-dd94-42bf-a231-83ddc4be076e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/959253

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-08 17:19:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2luabmarmksrkfzy5nje55f5g35oxkg5go4mhvuo3nrvykotrwnq._file

Verdict:

malicious

CoinMiner

1430de888f5ef501e60e80398b0309a05f453a8b2e8c9b24fdaa5e722d2f8242

CoinMiner

1635567f96d69d53a64c49fb4a8cb5d65663d545f4ae4ea7c6465b49e4c297f4

CoinMiner

206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403

CoinMiner

24dddac175ec0ecbe3a13040165f0438fca44502c216c96655cdff8f4bc0ddcb

CoinMiner

59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44

CoinMiner

6b737843eebb48068a3ef0bce32560eb1bb8b1db1ed2cd7018c8742b099ace17

CoinMiner

9f6e71649662dd86ed3b65a8d20ad8c21971cb8087d14eeb34449f04b573b737

CoinMiner

b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457

CoinMiner

+ 1'728 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220318-fnkaasgad6/

Behaviour

Program crash

Unpacked files

SH256 hash:

e8186e104b2b358de9fd0dc5707b35e6e50f949c46384d86c6d017d294fa6efa

MD5 hash:

af1e05b16f53bcc940fcbeb8c4c08258

SHA1 hash:

5f8803f9b8ab05fba9d23ca4d198c241f56ec3b2

Link:

https://www.unpac.me/results/eb5df40f-24e0-4062-bc51-366d734837b2/

SH256 hash:

353b62fc983343a48b10590f3e9c178bae4f417807ff5c1acbe9881cbec2f793

MD5 hash:

c441c9ed3a991afdf1128e5c0190c8c6

SHA1 hash:

27de24b4e3361c0eb5dbad6815039f2d23233189

Link:

https://www.unpac.me/results/eb5df40f-24e0-4062-bc51-366d734837b2/

SH256 hash:

d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b

MD5 hash:

4256b2cb5a9af7923d2b9bd7fb2a3767

SHA1 hash:

69ecd0eb3d7e37a148ab5e89c225af2cd566f6ab

Link:

https://www.unpac.me/results/eb5df40f-24e0-4062-bc51-366d734837b2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d2e800b01162/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252242/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample