MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad
SHA3-384 hash: 82cc5595e9ba6c9c141571ddc20300d879b9416dcbc4e468259187dbaba270e8f80782223521aebb5348de5612e68780
SHA1 hash: 11b1b49984588707e2d05ed3958e4b8f5a97bb2c
MD5 hash: b7a0a9b286001b3a91f88a82ed4efdea
humanhash: hotel-carbon-sierra-montana
File name:FANDER_MOD V3.03.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:172'960 bytes
First seen:2021-10-24 17:08:44 UTC
Last seen:2021-10-24 18:12:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:KfXpuCDLasejh78vIs9FtFGqvhtDc/StIoVL+ueKS58gh1RLEnXPn5mppYoRgoVf:KPpuCisefs3tFjTHMlhXEnXvkxH+TIwA
Threatray 189 similar samples on MalwareBazaar
TLSH T19CF3F6533E48F319D1813E3793CF9A1557B26AC64A328AD27F4EDE6025223523E37369
Reporter tech_skeech
Tags:CoinMiner.XMRig exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
417
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FANDER_MOD V3.03.exe
Verdict:
Malicious activity
Analysis date:
2021-10-24 17:07:20 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a91ff5e3-69cc-413e-85a3-aba558e30d73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199674/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.18003.1600.30819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2ff5fa7-b1e2-4050-8399-6582bd2ea999
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875835
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508268 Sample: FANDER_MOD V3.03.exe Startdate: 24/10/2021 Architecture: WINDOWS Score: 100 182 Sigma detected: Xmrig 2->182 184 Malicious sample detected (through community Yara rule) 2->184 186 Multi AV Scanner detection for submitted file 2->186 188 6 other signatures 2->188 14 FANDER_MOD V3.03.exe 3 2->14         started        18 services32.exe 2->18         started        20 vlc32.exe 2->20         started        process3 file4 140 C:\Users\user\...\FANDER_MOD V3.03.exe.log, ASCII 14->140 dropped 230 Writes to foreign memory regions 14->230 232 Injects a PE file into a foreign processes 14->232 22 RegAsm.exe 15 7 14->22         started        234 Multi AV Scanner detection for dropped file 18->234 236 Allocates memory in foreign processes 18->236 238 Creates a thread in another existing process (thread injection) 18->238 27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        signatures5 process6 dnsIp7 154 65.108.29.210, 21638, 49720 ALABANZA-BALTUS United States 22->154 156 cdn.discordapp.com 162.159.135.233, 443, 49721 CLOUDFLARENETUS United States 22->156 136 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 22->136 dropped 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->196 198 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->198 200 Tries to harvest and steal browser information (history, passwords, etc) 22->200 31 fl.exe 3 22->31         started        35 sihost32.exe 27->35         started        37 cmd.exe 27->37         started        202 Adds a directory exclusion to Windows Defender 29->202 39 cmd.exe 29->39         started        file8 signatures9 process10 file11 142 C:\Users\user\AppData\Local\Temp\work.exe, PE32+ 31->142 dropped 144 C:\Users\user\AppData\Local\Temp\vlc.exe, PE32+ 31->144 dropped 146 C:\Users\user\AppData\Local\Temp\sddo.exe, PE32+ 31->146 dropped 160 Antivirus detection for dropped file 31->160 162 Multi AV Scanner detection for dropped file 31->162 164 Adds a directory exclusion to Windows Defender 31->164 41 cmd.exe 31->41         started        43 cmd.exe 1 31->43         started        45 cmd.exe 1 31->45         started        47 cmd.exe 1 31->47         started        166 Writes to foreign memory regions 35->166 168 Allocates memory in foreign processes 35->168 170 Creates a thread in another existing process (thread injection) 35->170 50 conhost.exe 37->50         started        52 taskkill.exe 37->52         started        54 powershell.exe 39->54         started        57 conhost.exe 39->57         started        59 powershell.exe 39->59         started        signatures12 process13 dnsIp14 61 vlc.exe 41->61         started        64 conhost.exe 41->64         started        66 sddo.exe 43->66         started        68 conhost.exe 43->68         started        70 work.exe 45->70         started        72 conhost.exe 45->72         started        240 Adds a directory exclusion to Windows Defender 47->240 74 conhost.exe 47->74         started        76 powershell.exe 22 47->76         started        78 2 other processes 47->78 158 192.168.2.1 unknown unknown 54->158 signatures15 process16 signatures17 218 Multi AV Scanner detection for dropped file 61->218 220 Writes to foreign memory regions 61->220 222 Allocates memory in foreign processes 61->222 80 conhost.exe 61->80         started        224 Creates a thread in another existing process (thread injection) 66->224 84 conhost.exe 66->84         started        86 conhost.exe 70->86         started        226 Uses nslookup.exe to query domains 74->226 228 Adds a directory exclusion to Windows Defender 74->228 process18 file19 130 C:\Windows\System32\vlc32.exe, PE32+ 80->130 dropped 172 Adds a directory exclusion to Windows Defender 80->172 88 cmd.exe 80->88         started        91 cmd.exe 80->91         started        93 cmd.exe 80->93         started        132 C:\Windows\System32\services32.exe, PE32+ 84->132 dropped 95 cmd.exe 84->95         started        97 cmd.exe 84->97         started        134 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 86->134 dropped 174 Uses nslookup.exe to query domains 86->174 176 Writes to foreign memory regions 86->176 178 Modifies the context of a thread in another process (thread injection) 86->178 180 2 other signatures 86->180 99 nslookup.exe 86->99         started        signatures20 process21 dnsIp22 102 vlc32.exe 88->102         started        105 conhost.exe 88->105         started        204 Uses schtasks.exe or at.exe to add and modify task schedules 91->204 206 Adds a directory exclusion to Windows Defender 91->206 107 conhost.exe 91->107         started        117 2 other processes 91->117 119 2 other processes 93->119 208 Drops executables to the windows directory (C:\Windows) and starts them 95->208 109 services32.exe 95->109         started        111 conhost.exe 95->111         started        113 conhost.exe 97->113         started        115 schtasks.exe 97->115         started        148 104.140.201.42, 49762, 5555 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 99->148 150 pool.supportxmr.com 99->150 152 pool-nyc.supportxmr.com 99->152 210 Query firmware table information (likely to detect VMs) 99->210 signatures23 212 Detected Stratum mining protocol 148->212 process24 signatures25 121 conhost.exe 102->121         started        190 Writes to foreign memory regions 109->190 192 Allocates memory in foreign processes 109->192 194 Creates a thread in another existing process (thread injection) 109->194 124 conhost.exe 109->124         started        process26 file27 214 Adds a directory exclusion to Windows Defender 121->214 127 cmd.exe 121->127         started        138 C:\Windows\System32\...\sihost32.exe, PE32+ 124->138 dropped 216 Drops executables to the windows directory (C:\Windows) and starts them 124->216 signatures28 process29 signatures30 242 Adds a directory exclusion to Windows Defender 127->242
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad/
Threat name:
ByteCode-MSIL.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2021-10-24 17:09:05 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsj7rki3ftleqwtsq2oeqlg2spflofv5txificvp7f4hmc3nagwq._file
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner.XMRig
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
CoinMiner.XMRig
2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
CoinMiner.XMRig
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner.XMRig
5665cd84b24737ab956a4b5ec54036e229c9fbda702bdef89cae4c9a27198b8d
CoinMiner.XMRig
94cbc6a1b4cc99bbfb3824eab5720009773c04a2b4e628789d7db4f824a78201
CoinMiner.XMRig
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
CoinMiner.XMRig
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner.XMRig
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
CoinMiner.XMRig
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner.XMRig
+ 179 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery infostealer miner spyware stealer
Link:
https://tria.ge/reports/211024-vn422aefd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
65.108.29.210:21638
Unpacked files
SH256 hash:
a618e6a131a951af0616f6985cb462b4abd831d64d38246842d333d6f96932b4
MD5 hash:
6ba10cff33d06df81edcc0fa013ae792
SHA1 hash:
3d417c7fc08e8aceac0f33e7972ea9f4e7c5f4af
Link:
https://www.unpac.me/results/4b343a33-b88d-4ff1-8e53-6022e7e92804/
SH256 hash:
3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad
MD5 hash:
b7a0a9b286001b3a91f88a82ed4efdea
SHA1 hash:
11b1b49984588707e2d05ed3958e4b8f5a97bb2c
Link:
https://www.unpac.me/results/4b343a33-b88d-4ff1-8e53-6022e7e92804/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3493f8a91b2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad

(this sample)

anyrun
any.run
https://app.any.run/tasks/a91ff5e3-69cc-413e-85a3-aba558e30d73
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199674/

Comments