MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4
SHA3-384 hash: 6e127954090c8976c6b03b5a9ee543b7573b7bf3da6ea7243262407e43bd2ca2f1cdd5ed28e2650857f4f743dd2059a7
SHA1 hash: c425aa3442b30d15a931cf96a30e2909f2ff4308
MD5 hash: f85fa83b224e8d045dd3d13c0f3c41b1
humanhash: high-hydrogen-august-mango
File name:f85fa83b224e8d045dd3d13c0f3c41b1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'073'152 bytes
First seen:2023-10-16 08:14:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:r/yYN0J1WkGdcORZ1HW3ddDWu12AFB+2:r6YOW9dcI63dbp
Threatray 1 similar samples on MalwareBazaar
TLSH T1C0352850D7F8D249E0FE5231DEE062E062B26E737322D279CC06F5A5386C6D78DC4A66
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f85fa83b224e8d045dd3d13c0f3c41b1.exe
Verdict:
Malicious activity
Analysis date:
2023-10-16 08:18:31 UTC
Tags:
payload opendir privateloader evasion loader risepro stealer redline stealc sinkhole lumma ransomware stop vidar trojan arkei smoke
Link:
https://app.any.run/tasks/2e1876ef-c3e6-4639-87e9-68b3e2dbe7d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454752/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.16984.1462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Using the Windows Management Instrumentation requests
Creating a window
Blocking the User Account Control
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652cf111c51de9263e5af924/reports/4039252c-772c-4980-a55f-a4da00662ca9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0210c5c-b328-477e-8308-4d24a951206a
Result
Threat name:
RedLine, Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326282
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
DLL side loading technique detected
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1326282 Sample: BakaNOkMD4.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 183 Multi AV Scanner detection for domain / URL 2->183 185 Malicious sample detected (through community Yara rule) 2->185 187 Antivirus detection for URL or domain 2->187 189 18 other signatures 2->189 10 BakaNOkMD4.exe 2 4 2->10         started        13 svchost.exe 2->13         started        15 cmd.exe 2->15         started        17 10 other processes 2->17 process3 dnsIp4 221 Writes to foreign memory regions 10->221 223 Allocates memory in foreign processes 10->223 225 Adds a directory exclusion to Windows Defender 10->225 235 2 other signatures 10->235 20 CasPol.exe 15 23 10->20         started        25 powershell.exe 23 10->25         started        227 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->227 229 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->229 231 Modifies power options to not sleep / hibernate 15->231 27 conhost.exe 15->27         started        29 powercfg.exe 15->29         started        145 72.247.100.147 AKAMAI-ASUS United States 17->145 147 127.0.0.1 unknown unknown 17->147 233 DLL side loading technique detected 17->233 31 conhost.exe 17->31         started        33 conhost.exe 17->33         started        35 sc.exe 17->35         started        37 4 other processes 17->37 signatures5 process6 dnsIp7 149 85.217.144.143 WS171-ASRU Bulgaria 20->149 151 107.167.110.211 OPERASOFTWAREUS United States 20->151 153 8 other IPs or domains 20->153 113 C:\Users\...\y9TKlANv1jd3jzLd9EgqQe4T.exe, PE32 20->113 dropped 115 C:\Users\...\YngK6A9MAzits0sMz0MsrNI2.exe, PE32+ 20->115 dropped 117 C:\Users\...\XV7tpiH2e5ciC738LI1A1lNq.exe, PE32+ 20->117 dropped 119 16 other malicious files 20->119 dropped 191 Drops script or batch files to the startup folder 20->191 193 Creates HTML files with .exe extension (expired dropper behavior) 20->193 39 XV7tpiH2e5ciC738LI1A1lNq.exe 10 52 20->39         started        44 DXzKKyPRmfiJ8HICBAZpAY26.exe 20->44         started        46 YngK6A9MAzits0sMz0MsrNI2.exe 1 4 20->46         started        50 3 other processes 20->50 48 conhost.exe 25->48         started        file8 signatures9 process10 dnsIp11 155 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->155 157 87.240.137.140 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->157 165 14 other IPs or domains 39->165 127 C:\Users\...\uw3g8Yq7nKS7adkZUeoKVL8A.exe, MS-DOS 39->127 dropped 129 C:\Users\...\nPW8sHTSxPejLEt0XWweMqDU.exe, PE32 39->129 dropped 131 C:\Users\...\k2E084bCv5zkavj4RuwNrYw2.exe, PE32 39->131 dropped 139 20 other malicious files 39->139 dropped 201 Creates HTML files with .exe extension (expired dropper behavior) 39->201 203 Disables Windows Defender (deletes autostart) 39->203 205 Tries to harvest and steal browser information (history, passwords, etc) 39->205 215 3 other signatures 39->215 159 107.167.110.217 OPERASOFTWAREUS United States 44->159 161 107.167.125.189 OPERASOFTWAREUS United States 44->161 167 5 other IPs or domains 44->167 133 Opera_installer_2310160853298247476.dll, PE32 44->133 dropped 135 C:\Users\user\AppData\Local\...\opera_package, PE32 44->135 dropped 141 4 other malicious files 44->141 dropped 52 DXzKKyPRmfiJ8HICBAZpAY26.exe 44->52         started        55 Assistant_103.0.4928.25_Setup.exe_sfx.exe 44->55         started        57 DXzKKyPRmfiJ8HICBAZpAY26.exe 44->57         started        68 2 other processes 44->68 137 C:\Users\user\...\fronttechnological.exe, PE32+ 46->137 dropped 207 Creates multiple autostart registry keys 46->207 59 fronttechnological.exe 46->59         started        62 cmd.exe 13 46->62         started        163 172.67.222.167 CLOUDFLARENETUS United States 50->163 143 2 other malicious files 50->143 dropped 209 Multi AV Scanner detection for dropped file 50->209 211 Detected unpacking (changes PE section rights) 50->211 213 Detected unpacking (overwrites its own PE header) 50->213 217 4 other signatures 50->217 64 y9TKlANv1jd3jzLd9EgqQe4T.exe 50->64         started        66 powershell.exe 50->66         started        file12 signatures13 process14 file15 95 Opera_installer_2310160853333247856.dll, PE32 52->95 dropped 109 12 other malicious files 52->109 dropped 70 DXzKKyPRmfiJ8HICBAZpAY26.exe 52->70         started        97 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 55->97 dropped 99 C:\Users\user\AppData\Local\...\launcher.exe, PE32 55->99 dropped 111 4 other malicious files 55->111 dropped 101 Opera_installer_2310160853308527632.dll, PE32 57->101 dropped 103 C:\Users\user\...\thoseintroductory.exe, PE32 59->103 dropped 105 C:\Users\user\AppData\...\callcustomerpro.exe, PE32+ 59->105 dropped 237 Multi AV Scanner detection for dropped file 59->237 239 Creates multiple autostart registry keys 59->239 73 callcustomerpro.exe 59->73         started        241 Uses powercfg.exe to modify the power settings 62->241 243 Modifies power options to not sleep / hibernate 62->243 76 chrome.exe 62->76         started        79 conhost.exe 62->79         started        81 powershell.exe 64->81         started        83 conhost.exe 66->83         started        107 Opera_installer_2310160853324997764.dll, PE32 68->107 dropped 85 assistant_installer.exe 68->85         started        signatures16 process17 dnsIp18 121 Opera_installer_2310160853339328016.dll, PE32 70->121 dropped 123 C:\Users\user\AppData\...\calllcustomer.exe, PE32+ 73->123 dropped 125 C:\Users\user\AppData\...\callcustomer.exe, PE32 73->125 dropped 219 Multi AV Scanner detection for dropped file 73->219 87 callcustomer.exe 73->87         started        177 192.168.2.8 unknown unknown 76->177 179 192.168.2.9 unknown unknown 76->179 181 239.255.255.250 unknown Reserved 76->181 91 chrome.exe 76->91         started        93 conhost.exe 81->93         started        file19 signatures20 process21 dnsIp22 169 172.86.98.101 M247GB United States 87->169 195 Multi AV Scanner detection for dropped file 87->195 197 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 87->197 199 Injects a PE file into a foreign processes 87->199 171 142.250.188.227 GOOGLEUS United States 91->171 173 142.250.189.3 GOOGLEUS United States 91->173 175 8 other IPs or domains 91->175 signatures23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 05:57:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 36 (47.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55reti7xwipwbyyds73agdqj4v2ulcwd7bajiwf7jml7d2xshs2a._file
Verdict:
malicious
Similar samples:
67d9651b26cb6dc1a1d6b9d072b3382555ddd0811d2beb0eab6cab27dfecd8f7
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:xmrig dropper evasion loader miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/231016-j5k5pscg51/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
VMProtect packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
PrivateLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
33b51b93aa51f45a2538886061cfa0fd4e7128309b881fc1ef7bdbd5b9ab32f3
MD5 hash:
052f31b90a2ea70b88cc77b236a22061
SHA1 hash:
c7fbf395b0f43ba4cd77de6757987dfca00ba941
Link:
https://www.unpac.me/results/1944e990-f6f6-4fdc-bf2c-e0ae0d0aa2f1/
SH256 hash:
ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4
MD5 hash:
f85fa83b224e8d045dd3d13c0f3c41b1
SHA1 hash:
c425aa3442b30d15a931cf96a30e2909f2ff4308
Link:
https://www.unpac.me/results/1944e990-f6f6-4fdc-bf2c-e0ae0d0aa2f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2719266/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/454752/

Comments