MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7
SHA3-384 hash: dbc24140d16ae4452a8ea36eadc0bf9ec86305f96887618adc55b0cc6f904ec18368956730bade671b94c82725973d7c
SHA1 hash: 5fe7758e32f00cae07da6ad9b64db7f09074b9fb
MD5 hash: 10eb1924b6397b13b7e7b4a670c6fa59
humanhash: yankee-california-cardinal-foxtrot
File name:10eb1924b6397b13b7e7b4a670c6fa59.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:667'648 bytes
First seen:2021-12-14 16:49:25 UTC
Last seen:2021-12-14 18:45:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a7d8deb9f5b4ee77055264204973361 (7 x RedLineStealer, 2 x ArkeiStealer, 1 x CoinMiner)
ssdeep 12288:OgS4kYP5COrh+Q+eUCOthn/Q0OwJ8/Q1NKhlmHhkcd7w:OLYPkOrh+Q+JCM9Kvoahl+1e
Threatray 3'752 similar samples on MalwareBazaar
TLSH T128E402D274EED072E5A72A319420C3E55D37B983DE34519F36342BAE6FB23E01A21716
File icon (PE):PE icon
dhash icon 327e7c7f727e6e66 (1 x CoinMiner, 1 x RaccoonStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
10eb1924b6397b13b7e7b4a670c6fa59.exe
Verdict:
Malicious activity
Analysis date:
2021-12-14 17:04:47 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/36e1ab41-ee16-4b82-907a-5813cae50b4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214060/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.26952.1786.11816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Delayed writing of the file
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61b8cb4347bb875c085d9478/reports/5c3d4ade-33e8-4dae-9e6a-d31818a497a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a94c7d4b-3fd5-470d-9589-17335dfdf9ac
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907253
Signature
Antivirus detection for URL or domain
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 00:42:10 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
4ff85ed4a6ed753731533acba81fb31b38923cea1eff55ea524b1a7cbc48bc3b
CoinMiner
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
CoinMiner
66d2fe8e0af50d2d155608a4dfba701aa321fa7b83d5858a91f95f9bbc96f1d1
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 3'742 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:vidar family:xmrig botnet:1067 discovery miner spyware stealer suricata
Link:
https://tria.ge/reports/211214-vcadaahbcn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Vidar
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
https://mstdn.social/@sergeev43
https://koyu.space/@sergeev45
Unpacked files
SH256 hash:
d9271b5454d70d4bf643d341bf36b564ba7cce9e2edf487fca99c8b3a71f1df8
MD5 hash:
c3811426be46a7056b3716ab94901f9c
SHA1 hash:
f207caa4c279d1348d3c785cf3055a80d0cd6ecf
Link:
https://www.unpac.me/results/3531e47d-cf92-4260-8d1f-c4ea55ee7982/
SH256 hash:
dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7
MD5 hash:
10eb1924b6397b13b7e7b4a670c6fa59
SHA1 hash:
5fe7758e32f00cae07da6ad9b64db7f09074b9fb
Link:
https://www.unpac.me/results/3531e47d-cf92-4260-8d1f-c4ea55ee7982/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dff8b47d7290/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/214060/
  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download

Comments