MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e
SHA3-384 hash: 4ab4c75b76ef488b901439cf3b0d48f56821646c283fedadab67fb6ec26bbaa22e4297e9f9589ee0e3d85854e87f462f
SHA1 hash: 43d8c9a641e799fa45b78dd7569ef1e9e3530c3c
MD5 hash: a81924b825d4e4102afe7226524bef14
humanhash: edward-xray-two-princess
File name:a81924b825d4e4102afe7226524bef14.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:303'616 bytes
First seen:2021-09-14 13:50:58 UTC
Last seen:2021-09-14 14:56:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bc3c24d38199605fb20a769c182fe6bd (1 x CoinMiner, 1 x Tofsee)
ssdeep 6144:pMQura60rAZcTpxXwIPezMycrvLcxbbe4:e8LrAZcnwgezErQP
Threatray 8'889 similar samples on MalwareBazaar
TLSH T16A549E30B7A0C035F5BB11F459B997BCA92D7AB15B3060CB66D51AEE46386E4EC30387
dhash icon e8e8e8e8aa62a499 (21 x RaccoonStealer, 11 x ArkeiStealer, 4 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://94.250.251.116/php/Servertrace/cutprogramcutlimit/message/databin/searcherphpphpsupport/systemprogramWar/gamecoreantimessage/limit/Linegeo.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.250.251.116/php/Servertrace/cutprogramcutlimit/message/databin/searcherphpphpsupport/systemprogramWar/gamecoreantimessage/limit/Linegeo.php https://threatfox.abuse.ch/ioc/221656/

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a81924b825d4e4102afe7226524bef14.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-14 13:52:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/500a54e6-81ec-49bb-a083-4814611c5415

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187834/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.20687.6394.21771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61750fd7db358dd15ed92283/reports/7ab78e02-ac32-4a1b-a86a-5a480f69f00c/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26213cd9-c599-4fe9-86ca-6cb016ee83ef
Result
Threat name:
DCRat Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850737
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected DCRat
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483168 Sample: i3UmAT06iE.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 97 94.250.251.116, 49840, 80 THEFIRST-ASRU Russian Federation 2->97 99 telete.in 2->99 101 10 other IPs or domains 2->101 121 Tries to download HTTP data from a sinkholed server 2->121 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 16 other signatures 2->127 11 i3UmAT06iE.exe 2->11         started        14 wactrec 2->14         started        16 qgggvmsk.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 171 Detected unpacking (changes PE section rights) 11->171 173 Contains functionality to inject code into remote processes 11->173 175 Injects a PE file into a foreign processes 11->175 21 i3UmAT06iE.exe 11->21         started        177 Machine Learning detection for dropped file 14->177 24 wactrec 14->24         started        179 Detected unpacking (overwrites its own PE header) 16->179 181 Writes to foreign memory regions 16->181 183 Allocates memory in foreign processes 16->183 26 svchost.exe 16->26         started        103 127.0.0.1 unknown unknown 18->103 105 192.168.2.1 unknown unknown 18->105 signatures6 process7 dnsIp8 161 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->161 163 Maps a DLL or memory area into another process 21->163 165 Checks if the current machine is a virtual machine (disk enumeration) 21->165 29 explorer.exe 9 21->29 injected 167 Creates a thread in another existing process (thread injection) 24->167 107 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49817 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->107 109 defeatwax.ru 193.56.146.188, 443, 49821 LVLT-10753US unknown 26->109 169 System process connects to network (likely due to code injection or exploit) 26->169 signatures9 process10 dnsIp11 115 193.56.146.41, 49799, 9080 LVLT-10753US unknown 29->115 117 leventcastajanslari.bykmedya.com 31.192.214.222, 49838, 80 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 29->117 119 21 other IPs or domains 29->119 89 C:\Users\user\AppData\Roaming\wactrec, PE32 29->89 dropped 91 C:\Users\user\AppData\Local\Temp\9131.exe, PE32 29->91 dropped 93 C:\Users\user\AppData\Local\Temp\8411.exe, PE32 29->93 dropped 95 2 other malicious files 29->95 dropped 185 System process connects to network (likely due to code injection or exploit) 29->185 187 Benign windows process drops PE files 29->187 189 Performs DNS queries to domains with low reputation 29->189 191 2 other signatures 29->191 34 9131.exe 2 29->34         started        38 7952.exe 29->38         started        40 8940.exe 29->40         started        42 6 other processes 29->42 file12 signatures13 process14 dnsIp15 77 C:\Users\user\AppData\Local\...\qgggvmsk.exe, PE32 34->77 dropped 129 Detected unpacking (changes PE section rights) 34->129 131 Detected unpacking (overwrites its own PE header) 34->131 133 Machine Learning detection for dropped file 34->133 151 2 other signatures 34->151 45 cmd.exe 34->45         started        48 cmd.exe 34->48         started        50 sc.exe 34->50         started        61 3 other processes 34->61 135 Injects a PE file into a foreign processes 38->135 52 7952.exe 38->52         started        137 Query firmware table information (likely to detect VMs) 40->137 139 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->139 141 Hides threads from debuggers 40->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 40->143 55 conhost.exe 40->55         started        111 94.158.245.117, 49831, 80 MIVOCLOUDMD Moldova Republic of 42->111 113 telete.in 195.201.225.248, 443, 49805, 49809 HETZNER-ASDE Germany 42->113 79 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 42->79 dropped 81 C:\Users\user\AppData\...\ucrtbase.dll, PE32 42->81 dropped 83 C:\Users\user\AppData\...\softokn3.dll, PE32 42->83 dropped 85 3 other files (none is malicious) 42->85 dropped 145 Antivirus detection for dropped file 42->145 147 Multi AV Scanner detection for dropped file 42->147 149 Tries to harvest and steal browser information (history, passwords, etc) 42->149 57 8411.exe 2 42->57         started        59 conhost.exe 42->59         started        63 2 other processes 42->63 file16 signatures17 process18 file19 87 C:\Windows\SysWOW64\...\qgggvmsk.exe (copy), PE32 45->87 dropped 65 conhost.exe 45->65         started        67 conhost.exe 48->67         started        69 conhost.exe 50->69         started        153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->153 155 Maps a DLL or memory area into another process 52->155 157 Checks if the current machine is a virtual machine (disk enumeration) 52->157 159 Creates a thread in another existing process (thread injection) 52->159 71 conhost.exe 61->71         started        73 conhost.exe 61->73         started        75 conhost.exe 61->75         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 13:51:13 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rlw5xqx5aomfvjct45i76ia3423vhcg7324m7elwd53qp2brm7a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
CoinMiner
091ee9a9dd7f5501d96e04c9d7cfda6bb6cf3cdcb308f2ef293c123f675d56a7
CoinMiner
19e1615b05d89f0268b47c11407aa8023a65d704dadba3660557d81dd3e507cb
CoinMiner
3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a
CoinMiner
75114eeae6429f297193678413f5523eea5e25474745d3c9f29f3a519143a3f3
CoinMiner
80f0607db29814c032dd81fabf31e3c7e1134c5cf9fde17d639556381d5299d3
CoinMiner
8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193
CoinMiner
88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6
CoinMiner
d5c5a22d496c874ed4da5e38cae2c72cc94bc9238e9385f05e7c0b11b87ff35a
CoinMiner
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
CoinMiner
+ 8'879 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor suricata trojan
Link:
https://tria.ge/reports/210914-q5s9msagfj/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
suricata: ET MALWARE Known Sinkhole Response Header
Malware Config
C2 Extraction:
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Unpacked files
SH256 hash:
00f084577498574656aee0e4ce71090d1127e61b121ded642095d8abafa8faad
MD5 hash:
1ebf9a8027fe82a4416188d52ee12a8c
SHA1 hash:
b78dd61046152043e8a4c7a4b144d7d94c9c0867
Link:
https://www.unpac.me/results/a5bc6eaa-2c3d-4bf8-9b74-2af4a52f2ff3/
SH256 hash:
fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e
MD5 hash:
a81924b825d4e4102afe7226524bef14
SHA1 hash:
43d8c9a641e799fa45b78dd7569ef1e9e3530c3c
Link:
https://www.unpac.me/results/a5bc6eaa-2c3d-4bf8-9b74-2af4a52f2ff3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fc576ede17e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1612961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187834/

Comments