MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
SHA3-384 hash: 3e7cafc29ddc974cbc9643ac882872509756ff675268a35c797b746269ac633a15c41ca2be7190f66eab8fe457ab2a1d
SHA1 hash: 34c423a440f0cd520e2208cdfc3624c87f6e1729
MD5 hash: df466035296d8df2cf390c3a291caebb
humanhash: quiet-missouri-uniform-echo
File name:df466035296d8df2cf390c3a291caebb
Download: download sample
Signature CoinMiner
Create hunting rule
File size:153'088 bytes
First seen:2021-08-24 01:23:11 UTC
Last seen:2021-08-24 03:47:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f519e58768c36b2651aa4c0b9c28c9d (12 x RaccoonStealer, 2 x Smoke Loader, 2 x Stop)
ssdeep 1536:Rh4Ze/M/PYQ7kTAOoLOjGqDP4PL8BOdeKGnOG+ZeK/7Px5AYdHMKa12x11JATEL0:5+YQ0gayg4T8YIOGHqzx5ALwv1JQKt
Threatray 5'787 similar samples on MalwareBazaar
TLSH T12AE3BE2035E8C037C451453148D6C6A0D63BF866AEB185073BE8E65F6E753E3FB262A7
dhash icon 1072c092b0381902 (9 x RedLineStealer, 9 x RaccoonStealer, 4 x CryptBot)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df466035296d8df2cf390c3a291caebb
Verdict:
Suspicious activity
Analysis date:
2021-08-24 01:23:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed2bc2f3-afa9-40b5-b6bf-b7e9f8c1645a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181675/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.21973.21616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Creating a process from a recently created file
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Creating a file
Sending a custom TCP request
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02dfeabf-039c-41d2-abbf-506f1fe49be2
Result
Threat name:
Raccoon SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837895
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470326 Sample: DUsM8INDiD Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 112 x-tendperu.com 2->112 114 wycombetaxis.com 2->114 116 241 other IPs or domains 2->116 150 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->150 152 Antivirus detection for URL or domain 2->152 154 Multi AV Scanner detection for submitted file 2->154 156 13 other signatures 2->156 11 DUsM8INDiD.exe 2->11         started        14 idceghj 2->14         started        16 fyqmkvj.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 192 Detected unpacking (changes PE section rights) 11->192 194 Contains functionality to inject code into remote processes 11->194 196 Injects a PE file into a foreign processes 11->196 21 DUsM8INDiD.exe 11->21         started        24 idceghj 14->24         started        118 192.168.2.1 unknown unknown 18->118 120 77.52.17.84.in-addr.arpa 18->120 198 System process connects to network (likely due to code injection or exploit) 18->198 26 WerFault.exe 18->26         started        28 WerFault.exe 18->28         started        signatures6 process7 signatures8 184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->184 186 Maps a DLL or memory area into another process 21->186 188 Checks if the current machine is a virtual machine (disk enumeration) 21->188 30 explorer.exe 15 21->30 injected 190 Creates a thread in another existing process (thread injection) 24->190 process9 dnsIp10 136 95.213.224.6, 80 SELECTELRU Russian Federation 30->136 138 185.49.70.90, 2080, 49742 LEASEWEB-DE-FRA-10DE United Kingdom 30->138 140 3 other IPs or domains 30->140 104 C:\Users\user\AppData\Roaming\idceghj, PE32 30->104 dropped 106 C:\Users\user\AppData\Local\Temp\D87F.exe, PE32 30->106 dropped 108 C:\Users\user\AppData\Local\Temp\CBCC.exe, PE32 30->108 dropped 110 5 other files (3 malicious) 30->110 dropped 142 System process connects to network (likely due to code injection or exploit) 30->142 144 Benign windows process drops PE files 30->144 146 Performs DNS queries to domains with low reputation 30->146 148 2 other signatures 30->148 35 EE3C.exe 30->35         started        39 explorer.exe 30->39         started        42 C1A9.exe 86 30->42         started        44 11 other processes 30->44 file11 signatures12 process13 dnsIp14 88 C:\Users\user\AppData\Local\...\fyqmkvj.exe, PE32 35->88 dropped 158 Detected unpacking (changes PE section rights) 35->158 160 Uses netsh to modify the Windows network and firewall settings 35->160 162 Modifies the windows firewall 35->162 46 cmd.exe 35->46         started        49 cmd.exe 35->49         started        52 sc.exe 35->52         started        64 3 other processes 35->64 122 readinglistforaugust3.xyz 39->122 164 System process connects to network (likely due to code injection or exploit) 39->164 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->166 168 Tries to steal Mail credentials (via file access) 39->168 170 Performs DNS queries to domains with low reputation 39->170 124 188.34.200.103, 49740, 80 HETZNER-ASDE Germany 42->124 126 74.114.154.18, 443, 49739 AUTOMATTICUS Canada 42->126 128 eduarroma.tumblr.com 42->128 90 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 42->90 dropped 92 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 42->92 dropped 94 C:\Users\user\AppData\...\mozglue[1].dll, PE32 42->94 dropped 102 9 other files (none is malicious) 42->102 dropped 172 Tries to harvest and steal browser information (history, passwords, etc) 42->172 174 Tries to steal Crypto Currency Wallets 42->174 54 cmd.exe 42->54         started        130 185.191.34.170, 49750, 49751, 49752 ASBAXETNRU Russian Federation 44->130 132 149.210.239.206, 443, 49771 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 44->132 134 93 other IPs or domains 44->134 96 unknown (copy), SQLite 44->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\.dll, PE32+ 44->98 dropped 100 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 44->100 dropped 176 Query firmware table information (likely to detect VMs) 44->176 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->178 180 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->180 182 3 other signatures 44->182 56 cmd.exe 44->56         started        58 WerFault.exe 44->58         started        60 conhost.exe 44->60         started        62 conhost.exe 44->62         started        file15 signatures16 process17 file18 200 Drops PE files to the startup folder 46->200 66 conhost.exe 46->66         started        84 C:\Windows\SysWOW64\...\fyqmkvj.exe (copy), PE32 49->84 dropped 68 conhost.exe 49->68         started        70 conhost.exe 52->70         started        72 conhost.exe 54->72         started        74 taskkill.exe 54->74         started        86 C:\Users\user\AppData\...\svchostsw.exe, PE32 56->86 dropped 76 conhost.exe 56->76         started        78 conhost.exe 64->78         started        80 conhost.exe 64->80         started        82 conhost.exe 64->82         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 01:24:10 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65gjpvrgomabrou2rxk6n64anp6milivvcza54zizrpq22qfftga._file
Verdict:
suspicious
Similar samples:
11d175a08e1f4fc351af4e4c2c0549168d4c235a497f3bc1f278e8cb46b972e1
CoinMiner
321b8f87df4dd22bdfc9631a0d84f39b90f16cd8ea0e72f4a1f70df4b39b3468
CoinMiner
5152274dbe1cc44da156f29d1ff2858e583237bdc24ced137265cd3668ba851e
CoinMiner
608248c1ef7bab54f8a7aeffaf618187a6f20d3bc829a6c6de625e2a2a376f2b
CoinMiner
654e5fbb0f6165cdad48fd843ec274d63507133e0f27dab5b535efa1b56b0125
CoinMiner
78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7
CoinMiner
8c6e8a02877680a2b503cef0b068b452221f95e68f9131a59421ca95c4339eb2
CoinMiner
a19317b14abc6d4c1294aaaeab29d0ada023dffa37025c839671c193a74fd519
CoinMiner
cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd
CoinMiner
f6a8aa29264495625e7a74ada5f3a792c06c3f9ef472e01c4761bed7d1e4ff96
CoinMiner
+ 5'777 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:824 botnet:@rarenut0 botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210824-nhgwnyr4k6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
https://eduarroma.tumblr.com/
185.230.143.48:14462
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/05985605-5194-4992-9d97-bbe827b11489/
SH256 hash:
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
MD5 hash:
df466035296d8df2cf390c3a291caebb
SHA1 hash:
34c423a440f0cd520e2208cdfc3624c87f6e1729
Link:
https://www.unpac.me/results/05985605-5194-4992-9d97-bbe827b11489/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f74c97d62673/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
Cape
Cape
https://www.capesandbox.com/analysis/181675/

Comments


Avatar
zbet commented on 2021-08-24 01:23:12 UTC

url : hxxp://privacytoolz123foryou.xyz/downloads/toolspab2.exe