MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f
SHA3-384 hash: 5e887809c9df34c919c09fad3369b29ba3d3aa51d77236dfcc2ac1cb717f9ae8226d2298abaf062d7f33736a6d63c95d
SHA1 hash: 3eea91298e19f0a4c33d7b52e2b06e477235aa6f
MD5 hash: eb2f5e1b8f818cf6a7dafe78aea62c93
humanhash: seven-uncle-nevada-king
File name:x86_64
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'365'680 bytes
First seen:2022-01-20 20:01:41 UTC
Last seen:2022-01-20 22:10:49 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 49152:PYprFGudeOr5G5WvRNLinGPOZby+XzvBTlC95L0ATpo7QGXN0Zy:PdudeVEvRNWGPYby+LBQAATOQvZy
TLSH T1C5B533CA079B5B5AE3429E3F5B5173B2BBCCD5105DD528435267A869E03AEF83A0E031
Reporter Anonymous
Tags:CoinMiner elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.4074.24410.3782.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/61e9bfc6d32385db6310a963/reports/40bed5ec-0760-40e4-ae6e-b50d3f8998bc/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
213
Number of processes launched:
81
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
198.23.214.117:8080
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce8ff2ad-544a-4333-b6e8-cbf8002b586e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/924751
Signature
Antivirus / Scanner detection for submitted sample
Detected Stratum mining protocol
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Searches for CPU information (likely indicative for DDoS capability)
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557227 Sample: x86_64 Startdate: 20/01/2022 Architecture: LINUX Score: 88 87 198.23.214.117, 60304, 8080 AS-COLOCROSSINGUS United States 2->87 89 109.202.202.202, 80 INIT7CH Switzerland 2->89 91 4 other IPs or domains 2->91 95 Antivirus / Scanner detection for submitted sample 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Sample is packed with UPX 2->99 10 x86_64 2->10         started        13 dash rm 2->13         started        signatures3 101 Detected Stratum mining protocol 87->101 process4 signatures5 105 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->105 15 x86_64 sh 10->15         started        18 x86_64 sh 10->18         started        20 x86_64 10->20         started        23 3 other processes 10->23 process6 file7 85 /tmp/.cron, ASCII 15->85 dropped 25 sh crontab 15->25         started        29 sh 15->29         started        31 sh crontab 15->31         started        39 5 other processes 15->39 33 sh 18->33         started        35 sh grep 18->35         started        41 4 other processes 18->41 103 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 20->103 37 x86_64 sh 20->37         started        43 17 other processes 23->43 signatures8 process9 file10 83 /var/spool/cron/crontabs/tmp.xnV8uD, ASCII 25->83 dropped 107 Sample tries to persist itself using cron 25->107 109 Executes the "crontab" command typically for achieving persistence 25->109 45 sh crontab 29->45         started        56 5 other processes 29->56 48 sh 33->48         started        50 sh 33->50         started        52 sh 33->52         started        58 4 other processes 33->58 111 Searches for CPU information (likely indicative for DDoS capability) 35->111 54 sh modprobe 37->54         started        60 7 other processes 41->60 62 5 other processes 43->62 signatures11 process12 signatures13 113 Executes the "crontab" command typically for achieving persistence 45->113 64 sh grep 48->64         started        67 sh cut 48->67         started        69 sh sed 48->69         started        71 sh sed 48->71         started        73 sh awk 50->73         started        75 sh 50->75         started        79 2 other processes 52->79 115 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 54->115 81 8 other processes 58->81 77 sh hostname 60->77         started        process14 signatures15 93 Searches for CPU information (likely indicative for DDoS capability) 64->93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f/
Threat name:
Linux.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 22:03:39 UTC
File Type:
ELF64 Little (SO)
AV detection:
23 of 43 (53.49%)
Threat level:
  4/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220120-yr5drabdep/
Behaviour
Modifies data under HKEY_USERS
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1995057/
  
Delivery method
Distributed via web download

Comments