MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
SHA3-384 hash: 48dc9556955f9e86c46cf7c5d5d906da9a8d13bd6eb2d39dc27c9facb19654f4f254ac00ac942098939fcd4d1829041d
SHA1 hash: 7525d6d82603d7b28de848df108febc237706941
MD5 hash: 2ed4b748a8f22aa09655c2e19e587776
humanhash: may-grey-nuts-ink
File name:2ed4b748a8f22aa09655c2e19e587776
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'251'264 bytes
First seen:2021-07-08 08:43:31 UTC
Last seen:2021-07-08 10:53:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:H9KiayQ6+6zIjcntEssa27VIyF5zepWvHC4Ft0DPfp+o:H9Pe3jcfsalIl/bFt0DPfp+
Threatray 628 similar samples on MalwareBazaar
TLSH T1DFA63358B0CA9E41F548FE73D1574C2843878E873207C6EB744F36998D7AA961E2AC39
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ed4b748a8f22aa09655c2e19e587776
Verdict:
No threats detected
Analysis date:
2021-07-08 08:49:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5f1b9d0-c65c-47d3-bb5b-ffbbdc6d6468

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170379/
Detection(s):
SecuriteInfo.com.generic.ml.11864.17135.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63cb97c5-7c26-4b8e-9357-0a94d768f084
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813338
Signature
Creates an undocumented autostart registry key
Drops PE files with benign system names
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445749 Sample: 4kAbzVOhmL Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Xmrig cryptocurrency miner 2->62 64 3 other signatures 2->64 8 4kAbzVOhmL.exe 3 12 2->8         started        12 Services.exe 2->12         started        14 Services.exe 2->14         started        process3 file4 42 C:\Users\user\AppData\Roaming\...\VGA.exe, PE32+ 8->42 dropped 44 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\...\4kAbzVOhmL.exe, PE32+ 8->46 dropped 48 3 other malicious files 8->48 dropped 66 Creates an undocumented autostart registry key 8->66 68 Writes to foreign memory regions 8->68 70 Modifies the context of a thread in another process (thread injection) 8->70 72 Injects a PE file into a foreign processes 8->72 16 4kAbzVOhmL.exe 8->16         started        20 wscript.exe 1 8->20         started        22 AdvancedRun.exe 1 8->22         started        25 2 other processes 8->25 signatures5 process6 dnsIp7 40 C:\Users\user\AppData\Local\...\Services.exe, PE32+ 16->40 dropped 52 Multi AV Scanner detection for dropped file 16->52 54 Drops PE files with benign system names 16->54 27 Services.exe 16->27         started        56 Wscript starts Powershell (via cmd or directly) 20->56 30 powershell.exe 23 20->30         started        50 192.168.2.1 unknown unknown 22->50 32 AdvancedRun.exe 22->32         started        34 AdvancedRun.exe 25->34         started        36 conhost.exe 25->36         started        file8 signatures9 process10 signatures11 74 Multi AV Scanner detection for dropped file 27->74 38 conhost.exe 30->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f/
Threat name:
ByteCode-MSIL.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 07:47:58 UTC
AV detection:
6 of 29 (20.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3ix2hpxbnyykk7cgnpzdpp6edguumm2purnib7g5avi3purxrpq._file
Verdict:
malicious
Similar samples:
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
CoinMiner
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
CoinMiner
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
CoinMiner
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
CoinMiner
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
CoinMiner
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
CoinMiner
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
CoinMiner
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
CoinMiner
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
CoinMiner
f0aec42c4adf98c914904d1fd3db75d1db56591088f12e27849cbc427aaf6c7d
CoinMiner
+ 618 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/210708-dd6p4vp37e/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
Nirsoft
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
MD5 hash:
2ed4b748a8f22aa09655c2e19e587776
SHA1 hash:
7525d6d82603d7b28de848df108febc237706941
Link:
https://www.unpac.me/results/24ed9124-6032-42b9-8c74-7cfa010a661c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435580/
Cape
Cape
https://www.capesandbox.com/analysis/170379/

Comments


Avatar
zbet commented on 2021-07-08 08:43:37 UTC

url : hxxp://porncamsworld.com/lime.exe