MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f
SHA3-384 hash: 81a35a32af9cee73d844315ae76ed19b8d019ae12b8caf3f92aa5ab1d0ca0dd5e70c408f514b79f2e0c81d2f26177d14
SHA1 hash: 1d4133535b7ba2e52871ba3d84a6d03d89ea59ce
MD5 hash: 4f7a427579f50779ecf321f86e06fc29
humanhash: sixteen-timing-stream-glucose
File name:4f7a427579f50779ecf321f86e06fc29
Download: download sample
Signature CoinMiner
Create hunting rule
File size:311'976 bytes
First seen:2022-05-23 06:32:26 UTC
Last seen:2022-05-23 09:35:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e9dac1620e7ffb8082a9dca03cc96f9 (4 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:gm1IDA6lGGSvIDgIU5BA11AO21r2ZSmuNb3WfG8kbN:VIDA6lGGSvYsOU1r2kOfCbN
Threatray 257 similar samples on MalwareBazaar
TLSH T119647D1034C18036F9771D364EE89ABD9B3C76F10B7758DB13640A6E8F24ED16A3399A
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f7a427579f50779ecf321f86e06fc29
Verdict:
No threats detected
Analysis date:
2022-05-23 11:22:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1aad5161-013a-4817-9479-f3cdf976b93d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273544/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Searching for the window
Searching for many windows
Creating a file
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19618/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/628b2aae370bb1455cbfe773/reports/fddc94d3-a968-4bec-8044-ef51efc6cfbb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09163b4c-8d86-453d-87a6-c120f1a83f3d
Result
Threat name:
Clipboard Hijacker, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999572
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Detected Stratum mining protocol
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632066 Sample: 7uvkuUP9Ki Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 89 Sigma detected: Xmrig 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 13 other signatures 2->95 10 7uvkuUP9Ki.exe 2 2->10         started        13 Runtime Broker 2->13         started        16 svchost.exe 2->16         started        18 Chrome updater.exe 2->18         started        process3 dnsIp4 115 Contains functionality to inject code into remote processes 10->115 117 Writes to foreign memory regions 10->117 119 Allocates memory in foreign processes 10->119 121 Injects a PE file into a foreign processes 10->121 20 RegSvcs.exe 10->20         started        23 conhost.exe 10->23         started        85 104.20.67.143, 443, 49778 CLOUDFLARENETUS United States 13->85 87 pastebin.com 13->87 25 cmd.exe 13->25         started        signatures5 process6 signatures7 97 Injects a PE file into a foreign processes 20->97 27 RegSvcs.exe 15 6 20->27         started        31 RegSvcs.exe 20->31         started        99 Encrypted powershell cmdline option found 25->99 33 conhost.exe 25->33         started        35 powershell.exe 25->35         started        process8 dnsIp9 79 ggsteal.in 104.21.26.44, 49753, 80 CLOUDFLARENETUS United States 27->79 81 192.168.2.1 unknown unknown 27->81 71 C:\Users\user\AppData\Local\...\updateed.exe, PE32 27->71 dropped 73 C:\Users\user\AppData\Local\...\updated.exe, PE32+ 27->73 dropped 37 updated.exe 4 27->37         started        42 updateed.exe 1 27->42         started        file10 process11 dnsIp12 75 pastebin.com 172.67.34.170, 443, 49763 CLOUDFLARENETUS United States 37->75 77 httpbin.org 34.197.247.180, 49772, 80 AMAZON-AESUS United States 37->77 67 C:\Users\user\AppData\...\Runtime Broker, PE32+ 37->67 dropped 69 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 37->69 dropped 101 Multi AV Scanner detection for dropped file 37->101 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->103 105 Machine Learning detection for dropped file 37->105 113 5 other signatures 37->113 44 explorer.exe 37->44         started        48 cmd.exe 1 37->48         started        50 schtasks.exe 37->50         started        107 Writes to foreign memory regions 42->107 109 Allocates memory in foreign processes 42->109 111 Injects a PE file into a foreign processes 42->111 52 AppLaunch.exe 42->52         started        55 conhost.exe 42->55         started        file13 signatures14 process15 dnsIp16 83 pool.hashvault.pro 46.4.27.39, 49780, 80 HETZNER-ASDE Germany 44->83 123 System process connects to network (likely due to code injection or exploit) 44->123 125 Query firmware table information (likely to detect VMs) 44->125 57 conhost.exe 44->57         started        127 Encrypted powershell cmdline option found 48->127 59 powershell.exe 23 48->59         started        61 conhost.exe 48->61         started        63 conhost.exe 50->63         started        65 C:\Users\user\AppData\...\Chrome updater.exe, PE32 52->65 dropped 129 Drops PE files to the startup folder 52->129 file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 06:33:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64
CoinMiner
148e0e3a32f4e4fa38f170fcf8543177ec8aef1ab75d79821446482618e00b1b
CoinMiner
3bd15063c42b8cb1cb89f4cba984baf89e4008cdc4e994189077ebce17fcf7a6
CoinMiner
3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5
CoinMiner
7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa
CoinMiner
dabc07439793e4620f30ef38de1221fc37b00e399893823801f0e8312a1e8a76
CoinMiner
+ 247 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig infostealer miner spyware upx
Link:
https://tria.ge/reports/220523-ha7vjsbhg4/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
UPX packed file
Downloads MZ/PE file
XMRig Miner Payload
RedLine
xmrig
Malware Config
C2 Extraction:
141.95.140.173:33470
Unpacked files
SH256 hash:
32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f
MD5 hash:
4f7a427579f50779ecf321f86e06fc29
SHA1 hash:
1d4133535b7ba2e52871ba3d84a6d03d89ea59ce
Link:
https://www.unpac.me/results/ad22bff6-c2bc-4c38-9925-48fff2f83c93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2207486/
Cape
Cape
https://www.capesandbox.com/analysis/273544/

Comments


Avatar
zbet commented on 2022-05-23 06:32:30 UTC

url : hxxp://closehub.ru/files/%EF%BB%BF259_1.exe