MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2
SHA3-384 hash: 1b715ffc96712f5cb79df13077c449c79566dfd9f4f0c2e3427406346533b1aa832ed105a2f637c424f676ec79278433
SHA1 hash: 553c3cb5eca4768b10811423146aabad24d0e9c7
MD5 hash: 6339e02260b081083078c65107ad8315
humanhash: artist-carolina-zebra-queen
File name:RegHost.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'707'648 bytes
First seen:2022-03-14 20:58:04 UTC
Last seen:2022-04-20 10:22:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f41bd45d825b0e2e44373b89f24d3e52 (5 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 196608:RRk0ozshVFpKtv3/L8YXghJvdNpB7VA9PaFhi:00oIrs/ghtphoIi
Threatray 131 similar samples on MalwareBazaar
TLSH T1137622AD616433A8C47AC43C45336A09F2B2B15F07B496EB73DB77413BBB990E52A704
Reporter iam_py_test
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
DavinciResolve17f.exe
Verdict:
Malicious activity
Analysis date:
2022-03-14 20:26:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4da80452-e162-49d6-95c0-04f05fec028c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250438/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.85131.9752.5466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9201/overview
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/622fac640cd58dbd92992b0b/reports/2506931f-87e8-4083-8944-3123a6730f04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1bdb29f-a504-40f7-b03d-e0af08ac1620
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/956562
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 589040 Sample: RegHost.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 96 69 easyproducts.org 2->69 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected Phoenix Miner 2->81 9 RegHost.exe 1 2 2->9         started        14 RegHost.exe 1 1 2->14         started        16 RegHost.exe 2->16         started        signatures3 process4 dnsIp5 75 185.137.234.33, 49761, 8080 SELECTELRU Russian Federation 9->75 67 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 9->67 dropped 85 Injects code into the Windows Explorer (explorer.exe) 9->85 87 Writes to foreign memory regions 9->87 89 Allocates memory in foreign processes 9->89 18 explorer.exe 2 9->18         started        20 bfsvc.exe 1 9->20         started        23 conhost.exe 9->23         started        91 Multi AV Scanner detection for dropped file 14->91 93 Modifies the context of a thread in another process (thread injection) 14->93 95 Injects a PE file into a foreign processes 14->95 25 bfsvc.exe 1 14->25         started        27 explorer.exe 2 14->27         started        29 conhost.exe 14->29         started        file6 signatures7 process8 signatures9 31 RegHost.exe 1 18->31         started        34 curl.exe 1 18->34         started        37 curl.exe 1 18->37         started        47 8 other processes 18->47 83 Hides threads from debuggers 20->83 39 conhost.exe 20->39         started        41 conhost.exe 25->41         started        43 curl.exe 27->43         started        45 curl.exe 27->45         started        49 2 other processes 27->49 process10 dnsIp11 97 Writes to foreign memory regions 31->97 99 Allocates memory in foreign processes 31->99 101 Modifies the context of a thread in another process (thread injection) 31->101 103 Injects a PE file into a foreign processes 31->103 71 easyproducts.org 193.233.48.63, 49762, 49763, 49764 NETIS-ASRU Russian Federation 34->71 73 192.168.2.1 unknown unknown 34->73 51 conhost.exe 34->51         started        53 conhost.exe 37->53         started        55 conhost.exe 43->55         started        57 conhost.exe 45->57         started        59 conhost.exe 47->59         started        61 conhost.exe 47->61         started        63 conhost.exe 47->63         started        65 3 other processes 47->65 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 20:59:17 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
24dddac175ec0ecbe3a13040165f0438fca44502c216c96655cdff8f4bc0ddcb
CoinMiner
2b76f69615106615f7ac66c72a4cfbecd1475a1d4a73a7c07230fa3573dd83be
CoinMiner
99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
CoinMiner
d057f4f00abe0297d81c25d6a1475c495b5784930ce77ca0b63bf2bad720b5e1
CoinMiner
e8d6083106514e1fa3a1687de25e4ac31b1f1af0d4cf35bf0c11d7f5bea377b5
CoinMiner
ed9b4192a901ad97f91dfa7503f2fa5e7304b474503a5df8c53c4c8f3b721b96
CoinMiner
+ 121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220314-zr6ggscdc4/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2
MD5 hash:
6339e02260b081083078c65107ad8315
SHA1 hash:
553c3cb5eca4768b10811423146aabad24d0e9c7
Link:
https://www.unpac.me/results/dfa94048-67e0-4219-8b35-e64e8ce88741/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f963d6ed4390/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RedLineStealer

rar 041c469c1d878b7f3c846cb636b0709a87f19cabb42a5882b2f996197c536a57

RedLineStealer

Executable exe 206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403

CoinMiner

Executable exe f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2

(this sample)

  
Link
https://forums.malwarebytes.com/topic/284767-trojan-on-my-pc-please-help/
  
Dropped by
SHA256 206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/250438/

Comments