MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7
SHA3-384 hash: 3b4134536b3488f718e27d95d8caf99eb040aa022538a7df2805ded48f920553c15ee8e3bb56544e61213130a42b97c9
SHA1 hash: 6a53fb63d665b51ff1cf78472598978d9fc08cbe
MD5 hash: a458d224d11a5ae9ea2ba48d39f01d54
humanhash: carpet-north-whiskey-burger
File name:a458d224d11a5ae9ea2ba48d39f01d54.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:393'216 bytes
First seen:2021-09-26 05:27:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:uxYbrK2gcJrsa8op1QBLDPERd2zFO28eCDk:uxNWJfkBMrgsBeCD
Threatray 64 similar samples on MalwareBazaar
TLSH T162843826265AB00EF68831FC79DE16000BF32F566D65C1EE6933F69B4873231E36215B
File icon (PE):PE icon
dhash icon b9705cd9d95c78b1 (1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
141.94.188.139:43059

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.94.188.139:43059 https://threatfox.abuse.ch/ioc/226715/

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a458d224d11a5ae9ea2ba48d39f01d54.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 05:27:41 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6de31c67-2065-48c0-944f-739e08076ea2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191707/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ea78e81-108d-4746-8888-617c3fe38f05
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858318
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490748 Sample: Ze7iQlRsAk.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 108 pool.supportxmr.com 2->108 110 pool-fr.supportxmr.com 2->110 150 Sigma detected: Powershell download and execute file 2->150 152 Multi AV Scanner detection for dropped file 2->152 154 Multi AV Scanner detection for submitted file 2->154 156 9 other signatures 2->156 15 Ze7iQlRsAk.exe 3 2->15         started        20 winrsc.exe 2->20         started        22 svchost.exe 9 1 2->22         started        24 7 other processes 2->24 signatures3 process4 dnsIp5 124 192.168.2.1 unknown unknown 15->124 92 C:\Users\user\AppData\...\Ze7iQlRsAk.exe.log, ASCII 15->92 dropped 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->130 132 Injects a PE file into a foreign processes 15->132 26 Ze7iQlRsAk.exe 15 35 15->26         started        94 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 20->94 dropped 134 Multi AV Scanner detection for dropped file 20->134 136 Adds a directory exclusion to Windows Defender 20->136 126 127.0.0.1 unknown unknown 22->126 file6 signatures7 process8 dnsIp9 112 141.94.188.139, 43059, 49735 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 26->112 114 cdn.discordapp.com 162.159.129.233, 443, 49741, 49742 CLOUDFLARENETUS United States 26->114 116 api.ip.sb 26->116 102 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 26->102 dropped 172 Tries to harvest and steal browser information (history, passwords, etc) 26->172 174 Tries to steal Crypto Currency Wallets 26->174 31 fl.exe 26->31         started        34 conhost.exe 26->34         started        file10 signatures11 process12 signatures13 176 Antivirus detection for dropped file 31->176 178 Multi AV Scanner detection for dropped file 31->178 180 Adds a directory exclusion to Windows Defender 31->180 36 cmd.exe 1 31->36         started        process14 signatures15 158 Suspicious powershell command line found 36->158 160 Tries to download and execute files (via powershell) 36->160 162 Adds a directory exclusion to Windows Defender 36->162 39 powershell.exe 36->39         started        41 powershell.exe 36->41         started        43 powershell.exe 22 36->43         started        46 4 other processes 36->46 process16 dnsIp17 50 winrsc.exe 39->50         started        53 REGINII.exe 41->53         started        170 Powershell drops PE file 43->170 118 162.159.130.233, 443, 49749 CLOUDFLARENETUS United States 46->118 120 cdn.discordapp.com 46->120 122 cdn.discordapp.com 46->122 104 C:\Users\user\AppData\Local\Temp\winrsc.exe, PE32+ 46->104 dropped 106 C:\Users\user\AppData\Local\...\REGINII.exe, PE32+ 46->106 dropped file18 signatures19 process20 file21 138 Multi AV Scanner detection for dropped file 50->138 140 Adds a directory exclusion to Windows Defender 50->140 56 cmd.exe 50->56         started        58 cmd.exe 50->58         started        100 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 53->100 dropped 142 Machine Learning detection for dropped file 53->142 61 cmd.exe 53->61         started        63 cmd.exe 53->63         started        signatures22 process23 signatures24 65 svchost32.exe 56->65         started        69 conhost.exe 56->69         started        166 Uses schtasks.exe or at.exe to add and modify task schedules 58->166 168 Adds a directory exclusion to Windows Defender 58->168 71 conhost.exe 58->71         started        73 powershell.exe 58->73         started        75 powershell.exe 58->75         started        77 svchost64.exe 61->77         started        79 conhost.exe 61->79         started        81 conhost.exe 63->81         started        83 powershell.exe 63->83         started        process25 file26 96 C:\Windows\System32\winrsc.exe, PE32+ 65->96 dropped 144 Multi AV Scanner detection for dropped file 65->144 146 Machine Learning detection for dropped file 65->146 148 Drops executables to the windows directory (C:\Windows) and starts them 65->148 85 winrsc.exe 65->85         started        88 cmd.exe 65->88         started        98 C:\Windows\System32\REGINII.exe, PE32+ 77->98 dropped signatures27 process28 signatures29 164 Adds a directory exclusion to Windows Defender 85->164 90 conhost.exe 88->90         started        process30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 03:23:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hjqum7flymleerdmyp5jumklhwczswkhnstex7utvuhinprpllq._file
Verdict:
malicious
Similar samples:
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
CoinMiner
6f14afbba1fb3f07259d7153604a7877f9a0be968b600e2f82b6b491d4e994a6
CoinMiner
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
CoinMiner
7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf
CoinMiner
a0c86be7bbd36ce47ea9f012fe868411819bf695472cc2b3f860bd604e082445
CoinMiner
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
CoinMiner
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
CoinMiner
ddaa218a629d5d9c1cbc4158b6fba8f0e02c6bfa58afb79cb87947aef81e062d
CoinMiner
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
CoinMiner
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
CoinMiner
+ 54 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:@scw1x discovery infostealer miner spyware stealer suricata
Link:
https://tria.ge/reports/210926-f51nlsecgn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
141.94.188.139:43059
Dropper Extraction:
https://cdn.discordapp.com/attachments/889569369078779975/890215850014031922/winrsc.exe
https://cdn.discordapp.com/attachments/889569369078779975/890215862764720208/REGINII.exe
Unpacked files
SH256 hash:
c6369b53987f1933df48d02dfb592a9afc3f842686e31f615b62809ea0cfc785
MD5 hash:
3c209b0167eb90bdbee28cbe8b012f36
SHA1 hash:
c9049358dd839311a1976737876fd25b91d93497
Link:
https://www.unpac.me/results/e87fd8b8-9bcc-4fd8-ba43-529fbc1b612a/
SH256 hash:
d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7
MD5 hash:
a458d224d11a5ae9ea2ba48d39f01d54
SHA1 hash:
6a53fb63d665b51ff1cf78472598978d9fc08cbe
Link:
https://www.unpac.me/results/e87fd8b8-9bcc-4fd8-ba43-529fbc1b612a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191707/

Comments