MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1
SHA3-384 hash: 2736aab2cf4d60d2f36fd13fe1ccd1b5d865b239410c333431b464467a1bd46cdad7246eb2b5ddc25b78ca8dd5e27405
SHA1 hash: 1a8ff6cc9c572e1d52b2e7db582178a9d5208e17
MD5 hash: 15db9f43813112507a5cbd9b4f5e1fe9
humanhash: mountain-oven-fanta-failed
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:78'848 bytes
First seen:2023-03-21 13:29:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6880384c7bfd2a14f2b2e2e50f940ba5 (1 x CoinMiner)
ssdeep 1536:T3Mz8YI7OdQZ16vXROFon3rXMOnfF+OeeeeeeeeWeeeee:4wYuIPROKnLMOnfF
Threatray 45 similar samples on MalwareBazaar
TLSH T1D9733900F280813BE0F681FFEBFF56A9192C9FB4534594D7A2E1689F56346C6BA36053
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter jstrosch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-21 13:34:16 UTC
Tags:
phorpiex trojan
Link:
https://app.any.run/tasks/ead64a65-9af5-4cdf-8673-c0710ab45186

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% directory
DNS request
Sending a UDP request
Creating a file
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware phorpiex shell32.dll
Link:
https://www.filescan.io/uploads/6419b15ce78a9d3042996197/reports/49d84330-ddd7-42e3-9aca-d4874ebcfdaa/overview
Verdict:
Malicious
Labled as:
Trojan.FWDisable.Generic
Link:
https://www.hybrid-analysis.com/sample/4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20b0dbc8-7c2c-4c31-abad-ab9fcc1e72c9
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198623
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Contains functionality to determine the online IP of the system
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Send many emails (e-Mail Spam)
Snort IDS alert for network traffic
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831531 Sample: file.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 10 other signatures 2->98 8 file.exe 1 1 2->8         started        12 winsvrupd.exe 2->12         started        14 powershell.exe 36 2->14         started        16 4 other processes 2->16 process3 file4 64 C:\Windows\wsysrxvcs.exe, PE32 8->64 dropped 128 Found evasive API chain (may stop execution after checking mutex) 8->128 130 Contains functionality to check if Internet connection is working 8->130 132 Drops executables to the windows directory (C:\Windows) and starts them 8->132 144 2 other signatures 8->144 18 wsysrxvcs.exe 7 28 8->18         started        66 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 12->66 dropped 68 C:\Users\user\AppData\Local\...\mpnsrsgv.tmp, PE32+ 12->68 dropped 134 Writes to foreign memory regions 12->134 136 Modifies the context of a thread in another process (thread injection) 12->136 138 Maps a DLL or memory area into another process 12->138 140 Sample is not signed and drops a device driver 12->140 23 cmd.exe 12->23         started        142 Uses schtasks.exe or at.exe to add and modify task schedules 14->142 25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        29 schtasks.exe 16->29         started        31 conhost.exe 16->31         started        33 2 other processes 16->33 signatures5 process6 dnsIp7 72 185.215.113.66 WHOLESALECONNECTIONSNL Portugal 18->72 74 2.180.17.91 TCIIR Iran (ISLAMIC Republic Of) 18->74 76 23 other IPs or domains 18->76 50 C:\Users\user\AppData\Local\...\75601095.exe, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\...\587025894.exe, PE32 18->52 dropped 54 C:\Users\user\AppData\Local\...\311029678.exe, PE32 18->54 dropped 56 C:\Users\user\AppData\Local\...\120477188.exe, PE32 18->56 dropped 100 Antivirus detection for dropped file 18->100 102 Multi AV Scanner detection for dropped file 18->102 104 Found evasive API chain (may stop execution after checking mutex) 18->104 108 5 other signatures 18->108 35 120477188.exe 16 18->35         started        40 311029678.exe 16 18->40         started        42 75601095.exe 16 18->42         started        44 587025894.exe 18->44         started        106 Query firmware table information (likely to detect VMs) 23->106 file8 signatures9 process10 dnsIp11 78 185.215.113.84 WHOLESALECONNECTIONSNL Portugal 35->78 58 C:\Users\user\AppData\...\1258033132.exe, PE32+ 35->58 dropped 60 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 35->60 dropped 110 Antivirus detection for dropped file 35->110 112 Multi AV Scanner detection for dropped file 35->112 114 Machine Learning detection for dropped file 35->114 46 1258033132.exe 3 35->46         started        80 mx1.qq.com 40->80 82 hotmail-com.olc.protection.outlook.com 40->82 88 673 other IPs or domains 40->88 62 C:\Users\user\AppData\Local\...\529[1].txt, ASCII 40->62 dropped 116 Found evasive API chain (may stop execution after checking mutex) 40->116 118 Contains functionality to determine the online IP of the system 40->118 120 May check the online IP address of the machine 40->120 122 Writes a notice file (html or txt) to demand a ransom 40->122 84 mail.ru 42->84 86 gmail.com 42->86 90 664 other IPs or domains 42->90 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->124 file12 126 Tries to resolve many domain names, but no domain seems valid 86->126 signatures13 process14 file15 70 C:\Users\user\...\winsvrupd.exe, PE32+ 46->70 dropped 146 Antivirus detection for dropped file 46->146 148 Multi AV Scanner detection for dropped file 46->148 signatures16
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1/
Threat name:
Win32.Trojan.FWDisable
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 10:55:49 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iuy6sbfstjlxe4sfjxupqccnq356feb7c3aa2l5ghup74use5taq._file
Verdict:
malicious
Similar samples:
01a3465e5e0f616d60778d071f5c2357ff3064ff6c08086057556e47e6611e82
CoinMiner
0bc69de1855f826499a11014301279960d7a05928a5e6cc2056a42b4a8cad9e2
CoinMiner
12f308243fe099acdb7718428e027aa77846efa6f18e6cf8235daaadcb46ed1f
CoinMiner
48214f32e63f85fe88aff17257a746862d7530bce20b2dfc7a7b942743374a31
CoinMiner
764621435395609860a78ef6d107832fb9bb7f41f02c0bf11a180d9309c008aa
CoinMiner
cb541b99627ce8472599a1145595037b9314cb616d2d5c54e5cf139074237034
CoinMiner
ce87790b45cd1822a71e4d81733ec535a8aa5c42ec48f3593b14c5049ab635e6
CoinMiner
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2
CoinMiner
+ 35 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig evasion loader miner persistence trojan upx worm
Link:
https://tria.ge/reports/230321-qrs2qacg2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
XMRig Miner payload
Phorphiex
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://185.215.113.66/
Unpacked files
SH256 hash:
4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1
MD5 hash:
15db9f43813112507a5cbd9b4f5e1fe9
SHA1 hash:
1a8ff6cc9c572e1d52b2e7db582178a9d5208e17
Detections:
phorphiex
Create hunting rule
Link:
https://www.unpac.me/results/addf627a-60bc-474c-b5e5-23b3669bcfb5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4531e904b29a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4531e904b29a577272454de8f8084d86fbe2903f16c00d2fa63d1ffe5244ecc1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2567668/
  
URLhaus
https://urlhaus.abuse.ch/url/2531892/
  
URLhaus
https://urlhaus.abuse.ch/url/2554568/

Comments