MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a
SHA3-384 hash: 84096861e66fe645f95fd849782e7a17c3edd8273406dc3e0559c1a9bf31e39d0b8f3adc83317a26caef5706289946ea
SHA1 hash: 9f640c5ba8423f8652474222512fce92d64ff815
MD5 hash: 6c006bd6ae5d2a1f98bf1d3028db0749
humanhash: juliet-sweet-seventeen-pasta
File name:6c006bd6ae5d2a1f98bf1d3028db0749
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'633'083 bytes
First seen:2023-08-01 05:32:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UblAbmzu9QYWYF/ntx4ctNz6eFNf1Vf0tmYFfunfqowaA1N4v:UGwuqPktxfIeDf1Vf0pJunirarv
Threatray 39 similar samples on MalwareBazaar
TLSH T1A6263341FDC9A5F2DA66AD310929DB103ABCBD205B24CAABC3D8550D5E350C1B631FB7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a32e1510eaf70c772b81fc4e9f4c46f3
Verdict:
Malicious activity
Analysis date:
2023-07-31 11:59:52 UTC
Tags:
evasion redline rat trojan stealer
Link:
https://app.any.run/tasks/2426352c-4975-4d5f-a375-c8a7bbbcf83e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439504/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin lolbin netsh overlay packed packed powershell replace setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/64c899113d0bb8484a8a25f3/reports/177d953c-a0cc-4ae4-b418-26ba337cfc31/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f380391-7db9-4554-aeb3-4e07c6c11112
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283524
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Suspicious powershell command line found
Uses netsh to modify the Windows network and firewall settings
Uses nslookup.exe to query domains
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283524 Sample: UY7ZeZU4J1.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 3 other signatures 2->78 11 UY7ZeZU4J1.exe 14 2->11         started        process3 file4 58 C:\Users\user\AppData\Local\Temp\7z.exe, PE32 11->58 dropped 60 C:\Users\user\AppData\Local\Temp\7z.dll, PE32 11->60 dropped 62 C:\Users\user\AppData\Local\Temp\C3.bat, ASCII 11->62 dropped 64 C:\Users\user\AppData\Local\Temp\4.zip, Zip 11->64 dropped 14 cmd.exe 3 2 11->14         started        process5 signatures6 102 Suspicious powershell command line found 14->102 104 Wscript starts Powershell (via cmd or directly) 14->104 106 Adds a directory exclusion to Windows Defender 14->106 17 wscript.exe 1 14->17         started        21 conhost.exe 14->21         started        process7 dnsIp8 66 192.168.2.1 unknown unknown 17->66 80 Wscript starts Powershell (via cmd or directly) 17->80 23 cmd.exe 1 17->23         started        signatures9 process10 signatures11 84 Suspicious powershell command line found 23->84 86 Wscript starts Powershell (via cmd or directly) 23->86 88 Adds a directory exclusion to Windows Defender 23->88 26 4.exe 23->26         started        30 powershell.exe 7 23->30         started        32 7z.exe 3 23->32         started        34 4 other processes 23->34 process12 file13 52 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 26->52 dropped 54 C:\Users\user\AppData\...\nffdqsdjqnrm.tmp, PE32+ 26->54 dropped 90 Multi AV Scanner detection for dropped file 26->90 92 Uses nslookup.exe to query domains 26->92 94 Writes to foreign memory regions 26->94 100 4 other signatures 26->100 36 nslookup.exe 26->36         started        96 Uses netsh to modify the Windows network and firewall settings 30->96 98 Modifies the windows firewall 30->98 56 C:\Users\user\AppData\Local\Temp\4.exe, PE32+ 32->56 dropped 40 cmd.exe 1 34->40         started        42 cmd.exe 1 34->42         started        44 netsh.exe 3 34->44         started        46 2 other processes 34->46 signatures14 process15 dnsIp16 68 xmr.2miners.com 162.19.139.184, 12222, 49695, 49697 CENTURYLINK-US-LEGACY-QWESTUS United States 36->68 70 moner0000f5rvt.site 31.31.196.183, 443, 49696 AS-REGRU Russian Federation 36->70 82 Query firmware table information (likely to detect VMs) 36->82 48 WMIC.exe 1 40->48         started        50 WMIC.exe 1 42->50         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a/
Threat name:
Win32.Trojan.DisguisedXMRigMiner
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 19:49:10 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlmpy5cg263adtjgsqs5trkwy47opoddvbtl7mhivgmdkxa6rgfa._file
Verdict:
malicious
Similar samples:
544e42d33423d4dc27edf3acb6edc56c77346e833a71b353c393e5bb7f8ccf85
CoinMiner
6bd3020ed8e6bb3df3f419ecdba60fdf30a66d5ea43252329962bf29201131a0
CoinMiner
7b5481bbc68e0ac6d62de3d7dca87135cbc0a9b9754e4d370a5d988b1484055a
CoinMiner
95f429b6b59cf4098b2ff0bf681a202e8c22987bdbdeead2a589346960f0997a
CoinMiner
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e
CoinMiner
bf9afe70f71b3fdba34f67e6274f39cbe170da5d8b3b50857465fae59b7d090d
CoinMiner
e1d80bc7bb1f66eeb56bb89420987bd4e5406108764344013bb1966a20a443f5
CoinMiner
e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5
CoinMiner
f00da337728446c18e023ef2a1641f4f4033741ccf534ba99203005fb26eaa1a
CoinMiner
fd8dbe94e2d1acfd1a35053d2c643ef35b1146fbee7ad69536d0361ba32eb703
CoinMiner
+ 29 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/230801-f8vxjadf28/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
a4eeee012a976d83e07453fb69792742586cba3218675679953121b135329f77
MD5 hash:
b13d315eed54d24a06051019629bb521
SHA1 hash:
49e73a9952a1d06347d92b4f91c8233d827611f0
Link:
https://www.unpac.me/results/08a0600f-f865-450c-8b99-610d9ad8e541/
SH256 hash:
1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a
MD5 hash:
6c006bd6ae5d2a1f98bf1d3028db0749
SHA1 hash:
9f640c5ba8423f8652474222512fce92d64ff815
Link:
https://www.unpac.me/results/08a0600f-f865-450c-8b99-610d9ad8e541/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ad8fc7446d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1ad8fc7446d7b601cd269425d9c556c73ee7b863a866bfb0e8a998355c1e898a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2694499/
Cape
Cape
https://www.capesandbox.com/analysis/439504/

Comments


Avatar
zbet commented on 2023-08-01 05:32:12 UTC

url : hxxps://yello9erylanguage.gromovananii199.repl.co/4XR.exe