MAR-10322463.r3.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2021-02-11T10:59:06-05:00
BMachine
134
7.1.0
\AppData\Local\Temp\{82E4B719-90F7-4BD1-9CF1-56CD777E0C42}” folder, which will be executed by "UnionCryptoTraderSetup.exe" and deleted after it successfully completes the installation.]]>
UnionCryptoSetup.exe
30330443
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
24b3614d5c5e53e40b42b4e057001770
SHA1
b040433fb50d679b2e287d7fcc1667a415fb60b0
SHA256
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774
SHA512
55e9c7f59189e395b6b348d9fa8b4b907d0cedd790a33603a49ac857f5a07b205f8787fab0c7a9954e992852e6e5090f3cbf2243e86bb2546bd5628619648d87
SSDEEP
786432:Dj2fi5nBGPBMNekleUtOaZ13vcdkIXX0kfp:+65AP+QAeUtOKvc+c0kR
Microsoft Visual C++ ?.?
7.984564
6
2018-09-20 09:08:01-04:00
1024
MD5
566abfd43bde6dda239bf28ac9b087ae
2.960546
UnionCrypto Co.Ltd
Union Crypto Trader
1.0.23.474
UnionCryptoTraderSetup.exe
© UnionCrypto Corporation. All Rights Reserved.
UnionCryptoTraderSetup.exe
Union Crypto Trader
1.0.23.474
.text
608256
6.539792
MD5
764b34cabee1111c9e11c8f836aebafb
.rdata
189440
4.588598
MD5
7989312225f01ce65374248a3e73a557
.data
10240
4.418143
MD5
1ac52732b5e747734a833e523cd8f27f
.rsrc
434688
6.3405
MD5
3afae9bb129e782e05f70b3416946646
.reloc
162816
2.478756
MD5
d11bf51446bb40b38f82ba6ce1f57dc4
Contains
unioncrypto.vip
Downloaded_To
Downloaded_To
Characterized_By
Related_To
Related_To
Related_To
hxxps[:]//unioncrypto.vip/update
hxxps[:]//www[.]unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN
Whois for unioncrypto.vip had the following information on December 8, 2019:
Registrar: NameCheap
Created: June 5, 2019
Expires: June 5, 2020
Updated: June 5, 2019
Figure 1
\AppData\Local\UnionCryptoTrader” folder. Immediately after installation, the installer launches "UnionCryptoUpdater.exe."]]>
UnionCryptoTrader.msi
14634496
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Union Crypto Trader, Comments: Contact: Your local administrator, Keywords: Installer, Subject: Smart Cryptocurrency Arbitrage Trading Platform, Author: UnionCryptoTrader, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2018 - Premier Edition with Virtualization Pack 24, Last Saved Time/Date: Tue Aug 6 23:59:58 2019, Create Time/Date: Tue Aug 6 23:59:58 2019, Last Printed: Tue Aug 6 23:59:58 2019, Revision Number: {44311F94-C85D-4688-996A-4888F2D32062}, Code page: 1252, Template: x64;1033
MD5
0f03ec3487578cef2398b5b732631fec
SHA1
349fb7c922fba6da4bf5c2a3a9e0735f11068dac
SHA256
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49
SHA512
f2aa24d96daf090f3a29b5536f3ce0a9a59171b7fdb85887bc32ea6c5305e5ee03153b2c402399dd05a28d6fa90a3e979cc8153fd69686b5bbbb4ec199b8f2b3
SSDEEP
393216:zDea98QM1lKTmbHJdgXuUSCve2TN4ksIVVYlm6j8ziFS:XeanAKTuHbd9Ye2qpj8Og
7.948615
Characterized_By
Contained_Within
Contains
Contains
Figure 2
UnionCryptoTrader.exe
1286144
PE32+ executable (GUI) x86-64, for MS Windows
MD5
46b3061fe981d0a5edfd8d55f75adf9f
SHA1
514263acf79aeb49d87192ae08f6c76854cdda12
SHA256
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36
SHA512
38418a2f3a8870352d8a88d6fb48e2c93a35b48a559590beb12c7c507eadfd07bf087ea11e822fc3e7bc9d6710b17cb68c416ffcf87a787ed9428f2c6b56413e
SSDEEP
24576:fnrKym9OWCy0frP+1obeVbK8KW/TJ9+FCPjjcym8MUml:fnrKb9OWCy0q1obeVbPKW/TKcjlmhUml
Microsoft Visual C++ 8.0 (DLL)
6.41453
9
2019-08-06 21:22:00-04:00
1024
MD5
8a496cd41319fdb127a000e7a43bdfd4
3.518197
UnionCrypto Co.Ltd
Union Crypto Trader
1.0.23.474
UnionCryptoTrader.exe
© UnionCrypto Corporation. All rights reserved.
UnionCryptoTrader.exe
Union Crypto Trader
1.00.0000
.text
878080
6.431878
MD5
686f2fe8e51a4327d3e25e937c5eb1cc
.rdata
230912
5.566823
MD5
8f5b24579aaf7ecbc95b26614cf51e8c
.data
15360
4.052861
MD5
91b3d6678654de37caa94b211aae696e
.pdata
41472
6.082142
MD5
af667013369aea1785ada0e5442bcf07
.gfids
512
0.31781
MD5
aced93d352d733478dc51a779aef0c62
.tls
512
0.020393
MD5
1f354d76203061bfdd5a53dae48d5435
.rsrc
113664
3.831914
MD5
285d8a234d06cfb54adffe2eb077a2fe
.reloc
4608
5.365584
MD5
241aeb18e88145608a8b273404896f72
Characterized_By
Contained_Within
Figure 3
UnionCryptoUpdater.exe
161280
PE32+ executable (console) x86-64, for MS Windows
MD5
629b9de3e4b84b4a0aa605a3e9471b31
SHA1
1ef0e1cabd344726b663cec8d9e68f147259da55
SHA256
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f
SHA512
c70abbe52cbbed220fee218664d1c5f4313bd5387de11c275aa31115e90328dac032c6138954f3931c7d134e8613ad6c278ed29d78c0dc8199a1433b1a106132
SSDEEP
3072:Q/MdytyORF471FiHNkwBFTdpSI94e1ZVypzCG9n7r:Q/ftvF471AHNFjdYIZOt
Microsoft Visual C++ 8.0 (DLL)
6.192246
8
2019-08-06 22:00:26-04:00
1024
MD5
9b73650178bdd95af246609c1b650253
3.045187
UnionCrypto Co.Ltd
Union Crypto Trading Updater
1.0.23.474
unioncryptoupdater.exe
© UnionCrypto Corporation. All rights reserved.
unioncryptoupdater.exe
Union Crypto Trading Updater
1.0.23.474
.text
98816
6.45285
MD5
ac3f61418ff1daa9142e2304a647c2aa
.rdata
48128
5.088494
MD5
cc2de13f05d38702ac9a560e450ab54a
.data
3072
2.234569
MD5
20ef8fb99461ca48fe9ed26ffb4cc26c
.pdata
6144
5.155358
MD5
abf07cda1f35bf5fe4a9ac21de63f903
.gfids
512
1.857174
MD5
3eab486bdf211a98334f08a5145dbf94
.rsrc
1536
3.943344
MD5
c9ab77353b20e3b22c344b60c8859d56
.reloc
2048
4.924725
MD5
a9cd219d9ad71f6c2c60efc1308885c8
Characterized_By
Downloaded
Contained_Within
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
NodeDLL.dll
537616
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5
549db64ceaebbbdd9068d761cb5c616c
SHA1
6d91ce7b9f38e2316aa9fb50ececc02eadc4cd70
SHA256
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3
SHA512
0281257ad97e0765b57d29bb22fe9973f4ad5c42a93762eda1b12e71f78d02155fe32eda4ccd4acadbfccf61563175c28c520df5b631698573422048dce6a8c0
SSDEEP
12288:FOvSQSQs75paRGK9EovEfM9NosCz4jcauwVyZE19QLC:Mv0VpkGYvI6NAz4j5LV6+
6.433002
8
2019-10-21 12:33:45-04:00
1024
MD5
41f1664ee936eb5e9c5a402b9f791086
3.215046
.text
393728
6.418398
MD5
d7c3e5262e243bfd078cc689c0dcc509
.rdata
115200
5.560875
MD5
0155d4e1f35b8f139d07993866f1e2f6
.data
3584
2.251912
MD5
67b68408aebc7de9f6019e94ab5cf2ce
.pdata
20480
5.768325
MD5
809c1804672ec420bb9f366f30b025fb
.gfids
512
1.995088
MD5
7eb4b39b296be7f4de3339727d0f1eb0
.rsrc
512
4.724729
MD5
28984c1ba2156023b894e0041ecd2479
.reloc
2560
5.180527
MD5
1c7de4ac5824c7b888e15c611cb69191
Downloaded_By
Downloaded_From
Connected_To
216.189.150.185
Related_To
Related_To
Related_To
Connected_From
8080
TCP
216.189.150.185:8080/push.jsp
Queried whois.arin.net with "n 216.189.150.185"...
NetRange: 216.189.144.0 - 216.189.159.255
CIDR: 216.189.144.0/20
NetName: HOSTUS-IPV4-3
NetHandle: NET-216-189-144-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7489, AS25926
Organization: HostUS (HOSTU-4)
RegDate: 2014-08-29
Updated: 2015-12-29
Comment: Please send all abuse reports to abuse@hostus.us
Ref: https://rdap.arin.net/registry/ip/216.189.144.0
OrgName: HostUS
OrgId: HOSTU-4
Address: 125 N Myers St
City: Charlotte
StateProv: NC
PostalCode: 28202
Country: US
RegDate: 2013-07-26
Updated: 2019-10-23
Comment: IP addresses from this network are further reallocated or assigned to customers.
Comment: Please send all abuse reports to abuse@hostus.us.
Comment: Abuse reports must be submitted through email with the IP address in title.
Ref: https://rdap.arin.net/registry/entity/HOSTU-4
OrgNOCHandle: HOSTU2-ARIN
OrgNOCName: HostUS Tech
OrgNOCPhone: +1-302-300-1737
OrgNOCEmail: noc@hostus.us
OrgNOCRef: https://rdap.arin.net/registry/entity/HOSTU2-ARIN
OrgAbuseHandle: HAD18-ARIN
OrgAbuseName: HostUS Abuse Desk
OrgAbusePhone: +1-302-300-1737
OrgAbuseEmail: abuse@hostus.us
OrgAbuseRef: https://rdap.arin.net/registry/entity/HAD18-ARIN
OrgTechHandle: HOSTU2-ARIN
OrgTechName: HostUS Tech
OrgTechPhone: +1-302-300-1737
OrgTechEmail: noc@hostus.us
OrgTechRef: https://rdap.arin.net/registry/entity/HOSTU2-ARIN
UnionCryptoTrader.dmg
20911661
zlib compressed data
MD5
6588d262529dc372c400bef8478c2eec
SHA1
06d9f835efd1c05323f6a3abdf66e6be334e47c4
SHA256
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390
SHA512
4a90cd71e210662c3e21994a6af6d80f45c394b972d85ba725dc0e33721036c38b68829ca831113276cbea891fc075e1fa9911aad1fc647b0c2a2bb7a9d965cd
SSDEEP
393216:psbbiMqkRiP3p+/34QRDCLqKbNH40iBNTnz0xcECffBJrd8ur8dx3PAxC9lG:WbipIM3p+/TBvBN0xcRmur8dxIxC9l
7.997189
Downloaded_From
Characterized_By
Characterized_By
Contains
Contains
Figure 10
Figure 11
UnionCryptoTrader
1602900
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>
MD5
41587b0dd5104a4ee6484ff8cf47fd21
SHA1
bd41cb308913c4964aef47edafd36faa1f673717
SHA256
6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0
SHA512
efaf37208ee17967df8c435e592b2029d8e56aabd92ca989704bf7908399bf9e84b6312b928fb89907d72518ef40ae95ac6feeb1a19044231bbc60fa14cf18ec
SSDEEP
49152:2ScN8VPSplcFjsmEWe7JEANYIwErVqpxPM0:M40ltBWeFuHbE0
6.459336
Contained_Within
unioncryptoupdater
79760
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>
MD5
da17802bc8d3eca26b7752e93f33034b
SHA1
e8f29f1e3f35a4f2c18be424551e280ed66b1dd7
SHA256
631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680
SHA512
a32672fa780675e767e37fa1b8d186951cb934279cb416766c518a7d6f76b6521176a5055045c0af7ec1ce5f9882a952ed8761b54f9cb12587b831d9c26ea529
SSDEEP
1536:4YGnCXIbO9KBQJELi6VA2l5+r1M6JBM4YQNVZ3MpJy5TU23MpJy5Tp:3eCYK5JEBXaM6Jq4p3MpJy5Tb3MpJy5T
4.871481
Characterized_By
Characterized_By
Contained_Within
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16
Figure 17
Figure 18
Figure 19
Figure 20
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
24b3614d5c5e53e40b42b4e057001770
SHA1
b040433fb50d679b2e287d7fcc1667a415fb60b0
SHA256
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774
NCCIC
2021-02-12T17:37:42+00:00
Malicious Domain
Domain Watchlist
unioncrypto.vip
NCCIC
2021-02-12T17:37:42+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
0f03ec3487578cef2398b5b732631fec
SHA1
349fb7c922fba6da4bf5c2a3a9e0735f11068dac
SHA256
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49
NCCIC
2021-02-12T17:37:42+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
46b3061fe981d0a5edfd8d55f75adf9f
SHA1
514263acf79aeb49d87192ae08f6c76854cdda12
SHA256
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36
NCCIC
2021-02-12T17:37:42+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
629b9de3e4b84b4a0aa605a3e9471b31
SHA1
1ef0e1cabd344726b663cec8d9e68f147259da55
SHA256
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f
NCCIC
2021-02-12T17:37:42+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
549db64ceaebbbdd9068d761cb5c616c
SHA1
6d91ce7b9f38e2316aa9fb50ececc02eadc4cd70
SHA256
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3
NCCIC
2021-02-12T17:37:43+00:00
Malicious IP
IP Watchlist
216.189.150.185
NCCIC
2021-02-12T17:37:43+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
6588d262529dc372c400bef8478c2eec
SHA1
06d9f835efd1c05323f6a3abdf66e6be334e47c4
SHA256
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390
NCCIC
2021-02-12T17:37:43+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
41587b0dd5104a4ee6484ff8cf47fd21
SHA1
bd41cb308913c4964aef47edafd36faa1f673717
SHA256
6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0
NCCIC
2021-02-12T17:37:43+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
da17802bc8d3eca26b7752e93f33034b
SHA1
e8f29f1e3f35a4f2c18be424551e280ed66b1dd7
SHA256
631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680
NCCIC
2021-02-12T17:37:43+00:00
MAEC Characterization of 24b3614d5c5e53e40b42b4e057001770
Microsoft Security Essentials
Trojan:Win32/UnionCryptoTrader!ibt
Filseclab
W32.ELEX.L.erpg.mg
trojan
command-and-control
MAEC Characterization of 0f03ec3487578cef2398b5b732631fec
TrendMicro House Call
TROJ_FR.DEFD7DB1
TrendMicro
TROJ_FR.DEFD7DB1
dropper
MAEC Characterization of 629b9de3e4b84b4a0aa605a3e9471b31
McAfee
Trojan-Agent.c
K7
Trojan ( 0056425b1 )
Symantec
Trojan.Gen.2
Zillya!
Trojan.Agent.Win64.5106
BitDefender
Trojan.GenericKD.33626108
Comodo
Malware
TrendMicro House Call
TROJ_FR.DEFD7DB1
TrendMicro
TROJ_FR.DEFD7DB1
Emsisoft
Trojan.GenericKD.33626108 (B)
Avira
TR/Agent.pfpad
VirusBlokAda
Trojan.Win64.Agentb
ESET
a variant of Win64/Agent.UV trojan
NANOAV
Trojan.Win64.Mlw.icfhya
Lavasoft
Trojan.GenericKD.33626108
TACHYON
Trojan/W64.Agent.161280.C
Ikarus
Trojan.Win64.Agent
MAEC Characterization of 6588d262529dc372c400bef8478c2eec
McAfee
OSX/Nukesped.b
K7
Trojan ( 0001140e1 )
Cyren
Trojan.PXZN-6
Symantec
OSX.Trojan.Gen
Zillya!
Downloader.Agent.OSX.68
Antiy
Trojan/Mac.NukeSped
BitDefender
Trojan.MAC.Lazarus.F
Microsoft Security Essentials
Trojan:MacOS/NukeSped.C!MTB
Sophos
OSX/NukeSped-AB
TrendMicro House Call
Trojan.3657DE58
TrendMicro
Trojan.3657DE58
Emsisoft
Trojan.MAC.Lazarus.F (B)
Avira
OSX/Dldr.NukeSped.rtyrb
Ahnlab
Backdoor/OSX.Nukesped.20911661
ESET
OSX/TrojanDownloader.NukeSped.B trojan
Lavasoft
Trojan.MAC.Lazarus.F
Ikarus
Trojan-Downloader.OSX.Nukesped
backdoor
downloader
loader
MAEC Characterization of da17802bc8d3eca26b7752e93f33034b
ClamAV
Osx.Malware.Agent-7430998-0
McAfee
OSX/Lazarus.b
K7
Trojan ( 0001140e1 )
Symantec
OSX.Trojan.Gen
Zillya!
Downloader.NukeSped.OSX.6
Antiy
Trojan/Mac.NukeSped
BitDefender
Trojan.MAC.Lazarus.D
Microsoft Security Essentials
Trojan:MacOS/NukeSped.C!MTB
Sophos
OSX/Lazarus-F
TrendMicro House Call
TROJ_FR.ED65B0ED
TrendMicro
TROJ_FR.ED65B0ED
Emsisoft
Trojan.MAC.Lazarus.D (B)
Avira
OSX/Agent.hwuxh
Ahnlab
Backdoor/OSX.Nukesped.79760
ESET
OSX/TrojanDownloader.NukeSped.B trojan
NANOAV
Trojan.Mac.Download.gknigf
Lavasoft
Trojan.MAC.Lazarus.D
Quick Heal
MacOS.Trojan.39995.GC
Ikarus
Trojan-Downloader.OSX.Nukesped
10322463.r3.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected