MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3055ea942e63fe5298d66b9b6c59c227124f96a0d52227c743c961fa82aac902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3055ea942e63fe5298d66b9b6c59c227124f96a0d52227c743c961fa82aac902
SHA3-384 hash: a9c840e23ec9443f03edba9895f4beaaa1737a3ddf3c6c56a1b4d08f16459a1aae2e777234dbaa57d6e1fa59d4aac62a
SHA1 hash: ad114cbc38994fa952c65383983b7fdbce966b6d
MD5 hash: 51ea543c13fe8f97b1f9152fa6e0c9e7
humanhash: wyoming-jupiter-london-west
File name:51ea543c13fe8f97b1f9152fa6e0c9e7.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'239'232 bytes
First seen:2021-11-15 07:06:30 UTC
Last seen:2021-11-15 08:52:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:D+hoUAA6mt/cOkw09D1VxIFCeG3lEGxjRP/ody7mZoqUfJY2P6oPZw4IVX:ihlAA7t/chZVqCeG1EGF/ody7+nmv6EE
Threatray 563 similar samples on MalwareBazaar
TLSH T151563381A68C4B35EC6DD7BC4B3D15A6891AEDF66186EC0A9C7237005EC6EF34245FC4
File icon (PE):PE icon
dhash icon 00cccc969696cc00 (1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
136.144.41.189:12208

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
136.144.41.189:12208 https://threatfox.abuse.ch/ioc/248261/

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205763/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop8.6654.16814.14291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Creating a window
Launching a process
Running batch commands
Sending a UDP request
DNS request
Connection attempt
Moving a recently created file
Sending a custom TCP request
Setting a global event handler
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Sending an HTTP POST request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61920718dec3347825a4f576/reports/70f0b886-2be2-4816-a9db-4654cfaeeaab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac963a3b-f416-4b64-8549-52f1222f7c0d
Result
Threat name:
BitCoin Miner BitRAT RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889609
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected BitRAT
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522076 Sample: pNWDPPC7GZ.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 95 pool.supportxmr.com 2->95 97 pool-fr.supportxmr.com 2->97 99 dontreachme.duckdns.org 2->99 111 Sigma detected: Xmrig 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus / Scanner detection for submitted sample 2->115 117 14 other signatures 2->117 11 pNWDPPC7GZ.exe 14 10 2->11         started        16 services32.exe 2->16         started        18 svchost.exe 1 2->18         started        signatures3 process4 dnsIp5 107 cdn.discordapp.com 162.159.129.233, 443, 49745 CLOUDFLARENETUS United States 11->107 87 C:\Users\user\Documents\bitnoup.exe, PE32 11->87 dropped 89 C:\Users\user\Documents\CsGhost.exe, PE32 11->89 dropped 91 C:\Users\user\...\WindowsUpdateSheduler.exe, PE32 11->91 dropped 93 4 other malicious files 11->93 dropped 163 Detected unpacking (overwrites its own PE header) 11->163 165 Drops PE files to the document folder of the user 11->165 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->167 20 NotifyService.exe 11->20         started        23 bitnoup.exe 2 2 11->23         started        27 WindowsUpdateSheduler.exe 3 11->27         started        31 3 other processes 11->31 169 Writes to foreign memory regions 16->169 171 Allocates memory in foreign processes 16->171 173 Creates a thread in another existing process (thread injection) 16->173 29 conhost.exe 16->29         started        file6 signatures7 process8 dnsIp9 119 Antivirus detection for dropped file 20->119 121 Multi AV Scanner detection for dropped file 20->121 139 3 other signatures 20->139 33 conhost.exe 20->33         started        101 dontreachme.duckdns.org 136.144.41.189, 12208, 1337, 49747 WORLDSTREAMNL Netherlands 23->101 103 192.168.2.1 unknown unknown 23->103 81 C:\Users\user\...\Runtimebroker.exe (copy), PE32 23->81 dropped 83 C:\Users\user\AppData\Local:15-11-2021, HTML 23->83 dropped 123 Creates files in alternative data streams (ADS) 23->123 125 Machine Learning detection for dropped file 23->125 141 3 other signatures 23->141 85 C:\Windows\System32\drivers\etc\hosts, ASCII 27->85 dropped 127 Mutes Antivirus updates and installments via hosts file black listing 27->127 129 Uses cmd line tools excessively to alter registry or file data 27->129 131 Modifies the hosts file 27->131 133 Adds a directory exclusion to Windows Defender 29->133 105 api.ip.sb 31->105 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->137 143 2 other signatures 31->143 37 conhost.exe 31->37         started        39 conhost.exe 31->39         started        file10 signatures11 process12 file13 75 C:\Windows\System32\services32.exe, PE32+ 33->75 dropped 109 Adds a directory exclusion to Windows Defender 33->109 41 cmd.exe 33->41         started        44 cmd.exe 33->44         started        46 cmd.exe 33->46         started        77 C:\Windows\System32\services64.exe, PE32+ 37->77 dropped 48 cmd.exe 37->48         started        50 cmd.exe 37->50         started        signatures14 process15 signatures16 157 Drops executables to the windows directory (C:\Windows) and starts them 41->157 52 services32.exe 41->52         started        55 conhost.exe 41->55         started        159 Uses schtasks.exe or at.exe to add and modify task schedules 44->159 161 Adds a directory exclusion to Windows Defender 44->161 57 conhost.exe 44->57         started        59 powershell.exe 44->59         started        61 powershell.exe 44->61         started        63 schtasks.exe 46->63         started        65 conhost.exe 46->65         started        67 3 other processes 48->67 69 2 other processes 50->69 process17 signatures18 145 Writes to foreign memory regions 52->145 147 Allocates memory in foreign processes 52->147 149 Creates a thread in another existing process (thread injection) 52->149 71 conhost.exe 52->71         started        151 Drops executables to the windows directory (C:\Windows) and starts them 63->151 process19 file20 79 C:\Windows\System32\...\sihost32.exe, PE32+ 71->79 dropped 153 Drops executables to the windows directory (C:\Windows) and starts them 71->153 155 Adds a directory exclusion to Windows Defender 71->155 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3055ea942e63fe5298d66b9b6c59c227124f96a0d52227c743c961fa82aac902/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 07:07:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbk6vfbomp7ffggwnonwywoce4je7fva2urcpr2dzfq7vavkzeba._file
Verdict:
malicious
Similar samples:
03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
CoinMiner
0e4c750ad5a103cea722035958040e4c37647afaf7699c78c235463991f1caaa
CoinMiner
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
CoinMiner
515f555c06db60243a892bbdf57704792956569387482f6a7a001a782bb6bcd1
CoinMiner
adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3
CoinMiner
adced62cc3699104fccf02298ae0743e49f11c51bbd6ebea524a785ec82cb5a1
CoinMiner
b84795be05902d97864db422dbdc3b93f6729aabd167195ac3a175d984d73ff7
CoinMiner
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
CoinMiner
e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
CoinMiner
+ 553 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:redline family:xmrig discovery evasion infostealer miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/211115-hxm4naedcj/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
XMRig Miner Payload
BitRAT
BitRAT Payload
RedLine
RedLine Payload
UAC bypass
xmrig
Unpacked files
SH256 hash:
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44
MD5 hash:
80099430fb50d4c31c7ce28e2cb0fef5
SHA1 hash:
1fbaa22a5d6c76ee2d6645ec922fc449ade78581
Link:
https://www.unpac.me/results/1b987166-d738-4823-ad1b-bd12c77ea795/
SH256 hash:
b0bd0fb77c66e2d42ee063ba2832975b524e19b489402ada21ae7549125f7b9f
MD5 hash:
c386d4b6214cc52738f3e2fa6fab7c4d
SHA1 hash:
8eef856facb4426be20f84860283c66522c77dc8
Link:
https://www.unpac.me/results/1b987166-d738-4823-ad1b-bd12c77ea795/
SH256 hash:
3055ea942e63fe5298d66b9b6c59c227124f96a0d52227c743c961fa82aac902
MD5 hash:
51ea543c13fe8f97b1f9152fa6e0c9e7
SHA1 hash:
ad114cbc38994fa952c65383983b7fdbce966b6d
Link:
https://www.unpac.me/results/1b987166-d738-4823-ad1b-bd12c77ea795/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3055ea942e63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3055ea942e63fe5298d66b9b6c59c227124f96a0d52227c743c961fa82aac902

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1362093/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205763/

Comments