MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
SHA3-384 hash: c8554f8a7b7fdbef341987cb0b6bb2373f6b289d77e004d64eb306d6dd2857d02cae992596c48a211d45b748400f348f
SHA1 hash: 85841044836479ac3c0b9fb7f1f28928621a4a99
MD5 hash: 38be83afea1e906c05e5b851253cbc6a
humanhash: saturn-kentucky-moon-jig
File name:38be83afea1e906c05e5b851253cbc6a
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'201'216 bytes
First seen:2024-10-07 22:18:57 UTC
Last seen:2024-10-08 00:20:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'832 x AgentTesla, 19'770 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 196608:UB4i/VIa9g50YQjhHTbq7kGFco1JMdMZoWtz+oeT4wBYR5+Pmk+uy:U6aK6ZSFco1JtZDt+b4F5Hk+u
TLSH T1428633CDF51CA85DC5AB133B2809A69E8449C06F8DF2BF3F9E11EE815E1A43631B1176
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38be83afea1e906c05e5b851253cbc6a
Verdict:
Malicious activity
Analysis date:
2024-10-07 22:24:32 UTC
Tags:
uac
Link:
https://app.any.run/tasks/ac5e02bb-a331-49a4-9583-dc97d8758c23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67045e5da69182ddbe5ccd8f
Tags:
Bladabindi Powershell Autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
confuserex packed packed
Link:
https://www.filescan.io/uploads/67045e59d92ce92b9f9b66e9/reports/f0dbb84a-ff6c-47d2-b4d5-90afa34ffaa1/overview
Verdict:
Malicious
Labled as:
MSIL.Bladabindi.Generic
Link:
https://www.hybrid-analysis.com/sample/425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df21741c-87b9-45da-a490-554bb9079abe
Result
Threat name:
SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528504
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Xmrig
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528504 Sample: e7WMhx18XN.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 163 pool.hashvault.pro 2->163 189 Sigma detected: Xmrig 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 Antivirus / Scanner detection for submitted sample 2->193 195 25 other signatures 2->195 14 e7WMhx18XN.exe 8 2->14         started        17 services64.exe 2->17         started        20 powershell.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 file5 151 C:\Users\user\AppData\Local\Temp\paint.exe, PE32+ 14->151 dropped 153 C:\Users\user\...\FodhelperBypassUAC.exe, PE32+ 14->153 dropped 155 C:\Users\user\AppData\Local\Temp\b.bat, DOS 14->155 dropped 157 C:\Users\user\AppData\...\e7WMhx18XN.exe.log, CSV 14->157 dropped 24 cmd.exe 1 14->24         started        27 paint.exe 14->27         started        29 FodhelperBypassUAC.exe 2 14->29         started        169 Antivirus detection for dropped file 17->169 171 Machine Learning detection for dropped file 17->171 173 Writes to foreign memory regions 17->173 185 2 other signatures 17->185 31 conhost.exe 6 17->31         started        175 Modifies the context of a thread in another process (thread injection) 20->175 177 Injects a PE file into a foreign processes 20->177 34 dllhost.exe 20->34         started        36 conhost.exe 20->36         started        179 Suspicious powershell command line found 22->179 181 Query firmware table information (likely to detect VMs) 22->181 183 Changes security center settings (notifications, updates, antivirus, firewall) 22->183 38 dllhost.exe 22->38         started        40 powershell.exe 22->40         started        42 14 other processes 22->42 signatures6 process7 file8 201 Suspicious powershell command line found 24->201 219 2 other signatures 24->219 44 powershell.exe 24->44         started        58 4 other processes 24->58 203 Antivirus detection for dropped file 27->203 205 Machine Learning detection for dropped file 27->205 221 2 other signatures 27->221 48 conhost.exe 4 27->48         started        207 UAC bypass detected (Fodhelper) 29->207 50 cmd.exe 1 29->50         started        159 C:\Users\user\AppData\...\sihost64.exe, PE32+ 31->159 dropped 161 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 31->161 dropped 209 Found strings related to Crypto-Mining 31->209 211 Injects code into the Windows Explorer (explorer.exe) 31->211 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->213 223 2 other signatures 31->223 60 2 other processes 31->60 215 Contains functionality to inject code into remote processes 34->215 225 2 other signatures 34->225 52 winlogon.exe 34->52 injected 217 Creates a thread in another existing process (thread injection) 38->217 54 lsass.exe 38->54 injected 56 cmd.exe 40->56         started        63 3 other processes 42->63 signatures9 process10 dnsIp11 147 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 44->147 dropped 235 Sets debug register (to hijack the execution of another thread) 44->235 237 Modifies the context of a thread in another process (thread injection) 44->237 239 Suspicious command line found 44->239 241 Found suspicious powershell code related to unpacking or dynamic code loading 44->241 65 cmd.exe 44->65         started        149 C:\Users\user\AppData\...\services64.exe, PE32+ 48->149 dropped 68 cmd.exe 1 48->68         started        70 cmd.exe 1 48->70         started        72 fodhelper.exe 12 50->72         started        74 conhost.exe 50->74         started        80 3 other processes 56->80 243 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->243 165 pool.hashvault.pro 45.76.89.70, 54464, 80 AS-CHOOPAUS United States 60->165 245 Antivirus detection for dropped file 60->245 247 Query firmware table information (likely to detect VMs) 60->247 249 Machine Learning detection for dropped file 60->249 251 4 other signatures 60->251 76 conhost.exe 60->76         started        78 conhost.exe 63->78         started        82 5 other processes 63->82 file12 signatures13 process14 signatures15 187 Suspicious powershell command line found 65->187 84 powershell.exe 65->84         started        86 conhost.exe 65->86         started        88 cmd.exe 65->88         started        90 services64.exe 68->90         started        93 conhost.exe 68->93         started        95 conhost.exe 70->95         started        97 schtasks.exe 1 70->97         started        99 cmd.exe 1 72->99         started        process16 signatures17 101 cmd.exe 84->101         started        229 Writes to foreign memory regions 90->229 231 Allocates memory in foreign processes 90->231 233 Creates a thread in another existing process (thread injection) 90->233 104 conhost.exe 2 90->104         started        106 conhost.exe 99->106         started        process18 signatures19 197 Suspicious powershell command line found 101->197 199 Suspicious command line found 101->199 108 powershell.exe 101->108         started        112 conhost.exe 101->112         started        114 WMIC.exe 101->114         started        118 2 other processes 101->118 116 WerFault.exe 20 16 104->116         started        process20 dnsIp21 167 147.185.221.22, 54593, 54594, 54595 SALSGIVERUS United States 108->167 253 Creates autostart registry keys with suspicious values (likely registry only malware) 108->253 255 Creates autostart registry keys with suspicious names 108->255 257 Creates an autostart registry key pointing to binary in C:\Windows 108->257 259 5 other signatures 108->259 120 powershell.exe 108->120         started        123 powershell.exe 108->123         started        125 powershell.exe 108->125         started        127 2 other processes 108->127 signatures22 process23 signatures24 227 Injects a PE file into a foreign processes 120->227 129 conhost.exe 120->129         started        131 powershell.exe 120->131         started        133 conhost.exe 123->133         started        135 powershell.exe 123->135         started        137 conhost.exe 125->137         started        139 powershell.exe 125->139         started        141 conhost.exe 127->141         started        143 conhost.exe 127->143         started        145 powershell.exe 127->145         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3/
Threat name:
ByteCode-MSIL.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 22:19:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijo52p2fvibnasqgz4brfhkah7rat7gbuksa6th7uxtailivfhbq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/241007-18h8yszdja/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c1e3aa20-03d9-4691-9688-516a2a5adbb0
Unpacked files
SH256 hash:
9a16b0d390fe122f34aaf01f50244d792fc3ad883479e643b95672607256ac1b
MD5 hash:
b7f6d5456a720c194aca1a897a10997c
SHA1 hash:
bcd41849e0deae093da49be48bd4663053ac25a6
Link:
https://www.unpac.me/results/c109eb75-fd7f-4936-b611-3e19383273fd/
SH256 hash:
425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
MD5 hash:
38be83afea1e906c05e5b851253cbc6a
SHA1 hash:
85841044836479ac3c0b9fb7f1f28928621a4a99
Detections:
SUSP_OBF_NET_ConfuserEx_Packer_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c109eb75-fd7f-4936-b611-3e19383273fd/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/425ddd3f45aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3224072/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-10-07 22:18:58 UTC

url : hxxp://51.79.158.135/b.exe