MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca
SHA3-384 hash: b518745ce4c79b6957421122548ccdd33ec47849e5b417a07b7ad0aacd1f4e08afd37487d1b5d72b600e21db6b182501
SHA1 hash: 3fc2923c8fbcd11c87a5397674af8873254ba66e
MD5 hash: 1b79ca2e04760d945156dcc24689fe32
humanhash: harry-delaware-ten-uranus
File name:1b79ca2e04760d945156dcc24689fe32
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:10'184'973 bytes
First seen:2021-12-25 18:44:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:NhS7NZPbCnx48tlJp4vvUyMbr52MxEJyZjXJRZ9YrPEQGH:zg/0tlD4vHMmiXJRZ2ruH
Threatray 113 similar samples on MalwareBazaar
TLSH T186A63391BCD558B3EAB75F368870FB64483AE4204B6ECE0F63C4461ADE790816A7C717
File icon (PE):PE icon
dhash icon 9b0357331b3931c6 (1 x CoinMiner.XMRig)
Reporter zbetcheckin
Tags:32 CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b79ca2e04760d945156dcc24689fe32
Verdict:
Malicious activity
Analysis date:
2021-12-25 18:48:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7327612-3a1a-4082-b5df-83e9cff2a579

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216393/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3236/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut enigma greyware overlay packed
Link:
https://www.filescan.io/uploads/61c766b34ab5c44cbf510ee0/reports/0f117f40-364c-47b2-89a2-f5b6b8c5a116/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be9f2491-667e-4f52-9af7-39314ff6bb1b
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912830
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545304 Sample: rprjbXvUVY Startdate: 25/12/2021 Architecture: WINDOWS Score: 100 101 pool.hashvault.pro 2->101 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 10 other signatures 2->119 13 rprjbXvUVY.exe 10 2->13         started        16 fasfqw.exe 2->16         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 13->89 dropped 91 C:\Users\user\AppData\...\21651505105.exe, PE32 13->91 dropped 23 21651505105.exe 13->23         started        26 installer.exe 5 13->26         started        103 Multi AV Scanner detection for dropped file 16->103 105 Writes to foreign memory regions 16->105 107 Allocates memory in foreign processes 16->107 109 Creates a thread in another existing process (thread injection) 16->109 29 conhost.exe 16->29         started        111 Changes security center settings (notifications, updates, antivirus, firewall) 19->111 31 WerFault.exe 21->31         started        signatures6 process7 file8 137 Multi AV Scanner detection for dropped file 23->137 139 Machine Learning detection for dropped file 23->139 141 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 23->141 149 3 other signatures 23->149 33 AppLaunch.exe 15 7 23->33         started        38 WerFault.exe 23->38         started        85 C:\Users\user\Microsoft\services64.exe, PE32+ 26->85 dropped 87 C:\Users\user\AppData\...\installer.exe.log, ASCII 26->87 dropped 143 Detected unpacking (changes PE section rights) 26->143 145 Hides threads from debuggers 26->145 40 cmd.exe 26->40         started        147 Adds a directory exclusion to Windows Defender 29->147 signatures9 process10 dnsIp11 95 95.143.178.139, 49749, 9006 RHTEC-ASrh-tecIPBackboneDE Russian Federation 33->95 97 cdn.discordapp.com 162.159.135.233, 443, 49754 CLOUDFLARENETUS United States 33->97 99 192.168.2.1 unknown unknown 33->99 81 C:\Users\user\AppData\Local\Temp\6.exe, PE32+ 33->81 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->123 125 Tries to harvest and steal browser information (history, passwords, etc) 33->125 127 Tries to steal Crypto Currency Wallets 33->127 42 6.exe 33->42         started        129 Encrypted powershell cmdline option found 40->129 131 Uses schtasks.exe or at.exe to add and modify task schedules 40->131 133 Adds a directory exclusion to Windows Defender 40->133 45 conhost.exe 40->45         started        47 powershell.exe 40->47         started        49 powershell.exe 40->49         started        file12 signatures13 process14 signatures15 155 Multi AV Scanner detection for dropped file 42->155 157 Writes to foreign memory regions 42->157 159 Allocates memory in foreign processes 42->159 161 Creates a thread in another existing process (thread injection) 42->161 51 conhost.exe 42->51         started        163 Adds a directory exclusion to Windows Defender 45->163 process16 file17 83 C:\Windows\System32\fasfqw.exe, PE32+ 51->83 dropped 135 Adds a directory exclusion to Windows Defender 51->135 55 cmd.exe 51->55         started        58 cmd.exe 51->58         started        60 cmd.exe 51->60         started        signatures18 process19 signatures20 151 Drops executables to the windows directory (C:\Windows) and starts them 55->151 62 fasfqw.exe 55->62         started        65 conhost.exe 55->65         started        153 Adds a directory exclusion to Windows Defender 58->153 67 conhost.exe 58->67         started        69 powershell.exe 58->69         started        71 powershell.exe 58->71         started        73 conhost.exe 60->73         started        75 schtasks.exe 60->75         started        process21 signatures22 165 Writes to foreign memory regions 62->165 167 Allocates memory in foreign processes 62->167 169 Creates a thread in another existing process (thread injection) 62->169 77 conhost.exe 62->77         started        process23 file24 93 C:\Windows\System32\...\sihost32.exe, PE32+ 77->93 dropped 171 Drops executables to the windows directory (C:\Windows) and starts them 77->171 173 Adds a directory exclusion to Windows Defender 77->173 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 15:16:47 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inmfka2ujj6hlfvpwk2giv53qzo7bqyldhk4hmf43k7s7ei5ldfa._file
Verdict:
malicious
Similar samples:
33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
CoinMiner.XMRig
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner.XMRig
dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af
CoinMiner.XMRig
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
CoinMiner.XMRig
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
CoinMiner.XMRig
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
CoinMiner.XMRig
+ 103 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211225-xd3gkaagh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
2912076269452b02f2f91c9bc99a7020da2ada16d1d7dd2da922bcd51bd47e39
MD5 hash:
c0293fc705871e9cd6d41dd81edfdfdb
SHA1 hash:
de21fe924da36d384fd349f66dca325277c932ce
Link:
https://www.unpac.me/results/c7f99051-0313-4cd3-814e-c300def5c422/
SH256 hash:
a96455a44a14a2943fe562c3c241bcaa01b943197cdf07559b553f3ac2646432
MD5 hash:
4b89e8f1f7936814278cb76b8f317d33
SHA1 hash:
4d61acf23e1c38137884e4a695f047b4a96e16bd
Link:
https://www.unpac.me/results/c7f99051-0313-4cd3-814e-c300def5c422/
SH256 hash:
43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca
MD5 hash:
1b79ca2e04760d945156dcc24689fe32
SHA1 hash:
3fc2923c8fbcd11c87a5397674af8873254ba66e
Link:
https://www.unpac.me/results/c7f99051-0313-4cd3-814e-c300def5c422/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216393/
  
URLhaus
https://urlhaus.abuse.ch/url/1920740/

Comments


Avatar
zbet commented on 2021-12-25 18:44:18 UTC

url : hxxp://data-file-data-7.com/files/5838_1640039508_9010.exe