MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793
SHA3-384 hash: 672413e2b6f19e57fd84760b375ed3ad796e5407f3d2ac328aed9960ea7d9205b86520c80e53a2ca966d7ffde7f37521
SHA1 hash: 6d4bb7012244358a7250bdcb4129f665bc50dad7
MD5 hash: 857dedb1de67c69e53a67b20ad3a89d7
humanhash: cup-apart-vegan-eleven
File name:FORTNITE.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:355'056 bytes
First seen:2022-08-10 05:57:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e72f03da6e4b29bee632754c49d695b (1 x CoinMiner)
ssdeep 6144:1vcAkypgGZymAYB//I+LB5rhBVBNYoBDAOnjbqP9LYz8hyI3DVB5:1vcASGZymAYB/VzJD5jby9UmB5
TLSH T11B74AE2077D8C832D9B6153018F0D7358679F8524B619BDB5BC45ABE0F313C2AA36EB6
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter tech_skeech
Tags:CoinMiner exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
378
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
FORTNITE.exe
Verdict:
Malicious activity
Analysis date:
2022-08-10 05:58:11 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/13359bf8-bd64-4e96-a5b4-687e108fa33c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297541/
Detection(s):
Win.Malware.Bulz-9880537-0
Create hunting rule

Win.Packed.Bulz-9883367-0
Create hunting rule

Win.Packed.Generickdz-9885340-0
Create hunting rule

Win.Packed.Bulz-9891195-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28493/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint greyware hacktool overlay packed packed pandora redline sectoprat stealer windows zusy
Link:
https://www.filescan.io/uploads/62f34965810e2831b732d55b/reports/45c2b36c-32e0-4c0c-9b85-5fd72cf376e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cf17cf8-2edb-4c0c-879f-9abd2af06987
Result
Threat name:
Ficker Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049027
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 681521 Sample: FORTNITE.exe Startdate: 10/08/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 9 other signatures 2->46 9 FORTNITE.exe 1 2->9         started        process3 signatures4 56 Contains functionality to inject code into remote processes 9->56 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 62 Injects a PE file into a foreign processes 9->62 12 AppLaunch.exe 15 34 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process5 dnsIp6 34 api.ip.sb 12->34 36 193.124.22.27, 49763, 49778, 49779 ETOP-ASPL Russian Federation 12->36 38 cdn.discordapp.com 162.159.129.233, 443, 49780 CLOUDFLARENETUS United States 12->38 30 C:\Users\user\AppData\Local\...\DllHost.exe, PE32+ 12->30 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->66 68 Tries to harvest and steal browser information (history, passwords, etc) 12->68 70 Tries to steal Crypto Currency Wallets 12->70 21 DllHost.exe 12->21         started        24 conhost.exe 12->24         started        32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->32 dropped file7 signatures8 process9 signatures10 48 Antivirus detection for dropped file 21->48 50 Multi AV Scanner detection for dropped file 21->50 52 Machine Learning detection for dropped file 21->52 54 Encrypted powershell cmdline option found 21->54 26 powershell.exe 21->26         started        process11 process12 28 conhost.exe 26->28         started       
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 05:58:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cysykd4qjondoxjyzdyg5qmfucjmu57yepmxafzezyfnfifq6jq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:1686407864 discovery evasion exploit infostealer miner spyware
Link:
https://tria.ge/reports/220810-gn6nzafgf7/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Possible privilege escalation attempt
Stops running service(s)
XMRig Miner payload
Modifies security service
RedLine
RedLine payload
xmrig
Malware Config
C2 Extraction:
193.124.22.27:8362
Unpacked files
SH256 hash:
b1915330f1f9806758377f8135dfaec1e9650cbf8d5d8229a9d2e4a2868c5f55
MD5 hash:
617a1d48959f759724fe643cf2ab5d2e
SHA1 hash:
0cb09801bad1fe926e1a900f09f33615a00bd23e
Link:
https://www.unpac.me/results/d5aedf03-970a-4e8a-9462-370fecfb41b3/
SH256 hash:
e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793
MD5 hash:
857dedb1de67c69e53a67b20ad3a89d7
SHA1 hash:
6d4bb7012244358a7250bdcb4129f665bc50dad7
Link:
https://www.unpac.me/results/d5aedf03-970a-4e8a-9462-370fecfb41b3/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8b12c287c82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ArechClient
Create hunting rule
Author:@bartblaze
Description:Identifies ArechClient, infostealer.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e8b12c287c825cd1bae9c64783760c2d049653bfc11ecb80b926705695058793

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297541/

Comments