MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446
SHA3-384 hash: 82263a7368f70bb091f2e79a30b9ec3ce4186bc18f5c62d92db06386a55ad9ef7c35494518431010c2ed88019362d485
SHA1 hash: 85d6eb512fa07293548445f8236a90988e5b8459
MD5 hash: 4a0f69778cc534fc4ed63bc5e4bc946c
humanhash: apart-quebec-missouri-mexico
File name:4a0f69778cc534fc4ed63bc5e4bc946c.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'534'408 bytes
First seen:2021-11-14 07:21:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 24576:SpVceVnh84bciPmM1QIOHd60hsTOJHpAxMELqPvynfr+8Z4p2fODkqkEaHNYK3pQ:SjZVn+4bc/MUQ0hqWHOpf9Ze2pqNafLW
Threatray 150 similar samples on MalwareBazaar
TLSH T1D86533FE920F3E47EA0925303DB49FC958DE45BFA6D0939CC51C58406EF84A2A88957F
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205625/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a process with a hidden window
Sending an HTTP GET request
Sending an HTTP POST request
Delayed reading of the file
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the process to change network settings
Launching a service
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Stealing user critical data
Query of malicious DNS domain
Blocking Windows Firewall launch
Firewall traversal
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6190b91f3edf00a722d34637/reports/94dd7bf4-e800-4811-bcfa-078fba143256/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63bdfc79-0986-4621-95f8-273625bbac98
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888848
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521319 Sample: SAlxtNmHFR.exe Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 88 gtm-cn-4590x3tmp01.gtm-a2b4.com 47.91.67.36, 49796, 49800, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 2->88 90 gtm-cn-4590x3tmp05.gtm-a2b4.com 47.91.89.199, 49801, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 2->90 92 4 other IPs or domains 2->92 114 Sigma detected: Xmrig 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 8 other signatures 2->120 11 SAlxtNmHFR.exe 2->11         started        14 System.exe 2->14         started        signatures3 process4 dnsIp5 140 Query firmware table information (likely to detect VMs) 11->140 142 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->142 144 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 11->144 154 4 other signatures 11->154 18 AppLaunch.exe 15 8 11->18         started        23 WerFault.exe 23 9 11->23         started        110 iplogger.org 14->110 112 bitbucket.org 14->112 86 C:\ProgramData\Systemd\old.exe (copy), PE32+ 14->86 dropped 146 Multi AV Scanner detection for dropped file 14->146 148 May check the online IP address of the machine 14->148 150 Machine Learning detection for dropped file 14->150 152 Adds a directory exclusion to Windows Defender 14->152 25 conhost.exe 14->25         started        file6 signatures7 process8 dnsIp9 94 45.67.231.218, 49756, 7527 SERVERIUS-ASNL Moldova Republic of 18->94 96 cdn.discordapp.com 162.159.130.233, 443, 49766, 49768 CLOUDFLARENETUS United States 18->96 98 192.168.2.1 unknown unknown 18->98 58 C:\Users\user\AppData\Local\Temp\ssehub.exe, PE32 18->58 dropped 60 C:\Users\user\AppData\Local\Temp\Zenar.exe, PE32+ 18->60 dropped 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->132 134 Tries to harvest and steal browser information (history, passwords, etc) 18->134 136 Tries to steal Crypto Currency Wallets 18->136 27 Zenar.exe 39 18->27         started        32 ssehub.exe 2 18->32         started        62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->62 dropped file10 signatures11 process12 dnsIp13 104 iplogger.org 5.9.162.45, 443, 49772, 49773 HETZNER-ASDE Germany 27->104 106 bitbucket.org 104.192.141.1, 443, 49769, 49774 AMAZON-02US United States 27->106 108 3 other IPs or domains 27->108 76 C:\ProgramData\UpSys.exe, PE32+ 27->76 dropped 78 C:\ProgramData\Systemd\xmrig.exe, PE32+ 27->78 dropped 80 C:\ProgramData\MicrosoftNetwork\System.exe, PE32+ 27->80 dropped 82 C:\Users\user\AppData\Local\...\UpSys[1].exe, PE32+ 27->82 dropped 156 Multi AV Scanner detection for dropped file 27->156 158 May check the online IP address of the machine 27->158 160 Machine Learning detection for dropped file 27->160 164 2 other signatures 27->164 34 xmrig.exe 27->34         started        38 powershell.exe 27->38         started        40 conhost.exe 27->40         started        84 C:\Users\user\AppData\Local\...\ssehub.tmp, PE32 32->84 dropped 162 Obfuscated command line found 32->162 42 ssehub.tmp 3 13 32->42         started        file14 signatures15 process16 dnsIp17 100 51.254.84.37, 443, 49787, 49795 OVHFR France 34->100 102 pool.minexmr.com 34->102 122 Antivirus detection for dropped file 34->122 124 Multi AV Scanner detection for dropped file 34->124 126 Query firmware table information (likely to detect VMs) 34->126 128 Uses netsh to modify the Windows network and firewall settings 38->128 45 conhost.exe 38->45         started        47 UpSys.exe 38->47         started        49 netsh.exe 38->49         started        74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->74 dropped 51 ssehub.exe 42->51         started        file18 signatures19 process20 file21 64 C:\Users\user\AppData\Local\...\ssehub.tmp, PE32 51->64 dropped 138 Obfuscated command line found 51->138 55 ssehub.tmp 51->55         started        signatures22 process23 file24 66 C:\Users\user\...\libutiff-2.dll (copy), PE32 55->66 dropped 68 C:\Users\user\...\liborc-0.7-0.dll (copy), PE32 55->68 dropped 70 C:\Users\user\...\libopenz3.dll (copy), PE32 55->70 dropped 72 18 other files (none is malicious) 55->72 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 14:49:44 UTC
AV detection:
22 of 44 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d1ad9014ce8356b997ff90266f50fb3314d7135e4cc9832128ebfa49f5b8aec
CoinMiner
2f2cfbcafd48754c5a305fab8483db6741c8fb82e7cf5fb523453ee773669bed
CoinMiner
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e
CoinMiner
8466ebd35658644d4c289191e1341b8900bb021196fae0b82fbba7d8a74a3073
CoinMiner
8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25
CoinMiner
8d5a44287fea225aaf7aec78fa9591560d448e8813e6c70315496889a8e78fc3
CoinMiner
e7d90e82ce6b6d2233f2afd0cbd1d7256497d5c4020b903d40a25b153dc9cfb5
CoinMiner
+ 140 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig evasion infostealer miner persistence spyware trojan
Link:
https://tria.ge/reports/211114-h69c9adadr/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Modifies security service
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
xmrig
Unpacked files
SH256 hash:
76bc7c4b0cd4538c417e2fa8966f9d808c04301c3dd66c197e2a6a3c74118803
MD5 hash:
dccabc46a26cd32aba640e7d5bca6321
SHA1 hash:
5cc3dad7c25647a083acbb49decefe7cf6c2ca0d
Link:
https://www.unpac.me/results/ca293fe3-e51a-413e-872f-56c593a73c32/
SH256 hash:
31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446
MD5 hash:
4a0f69778cc534fc4ed63bc5e4bc946c
SHA1 hash:
85d6eb512fa07293548445f8236a90988e5b8459
Link:
https://www.unpac.me/results/ca293fe3-e51a-413e-872f-56c593a73c32/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/31f252898ace/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1783588/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205625/

Comments