MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e
SHA3-384 hash: 2c368a1bebc6478b602f62e836b449d5308dd461d4cbe3b5c630ba408a535a4214315656778c44918737584c643ae114
SHA1 hash: 1cc48a999280c8ccd2f52a314766b5d8e3ef39dd
MD5 hash: 1c7cb2cc9f49ccd8f1ab04613e93047a
humanhash: carolina-queen-hamper-eleven
File name:1c7cb2cc9f49ccd8f1ab04613e93047a.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:320'512 bytes
First seen:2022-01-14 14:15:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cfc1be3ef30447c889df3bb658d73d71 (2 x RedLineStealer, 1 x CoinMiner.XMRig, 1 x Smoke Loader)
ssdeep 6144:7jSeQevixcoHw7SaJ42yfzkHy00eDO70N+V8ZZgh268Po+:7GevixWS5PrkHNlDOU+V8vK/8P
Threatray 6'964 similar samples on MalwareBazaar
TLSH T10364AE10B7A0C035F1B726F48AB5936DB92E3AA1673490CB12D52BEE56346F1EC31317
File icon (PE):PE icon
dhash icon 2dec1370399b9b91 (25 x RedLineStealer, 21 x Smoke Loader, 8 x ArkeiStealer)
Reporter abuse_ch
Tags:CoinMiner.XMRig exe


Avatar
abuse_ch
CoinMiner.XMRig C2:
65.108.77.212:40094

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.77.212:40094 https://threatfox.abuse.ch/ioc/294752/

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c7cb2cc9f49ccd8f1ab04613e93047a.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-14 14:26:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0e65677-6d2a-4e8c-84b4-1e7eb08c6fb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219343/
Detection(s):
Win.Packed.Tofsee-9935687-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4196/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware tofsee
Link:
https://www.filescan.io/uploads/61e185af1883c5ba4ecbe69e/reports/9d79b5aa-148a-4981-af91-436cb13bf958/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cff2bf52-e5b3-431c-b6ca-1e31cdb24411
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Tofse
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920786
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553264 Sample: prkVkqYIwv.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 90 185.163.204.24, 49921, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->90 92 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 2->92 94 10 other IPs or domains 2->94 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Antivirus detection for URL or domain 2->110 112 Antivirus detection for dropped file 2->112 114 20 other signatures 2->114 11 prkVkqYIwv.exe 2->11         started        14 shnhcsqf.exe 2->14         started        16 aarcfwh 2->16         started        18 6 other processes 2->18 signatures3 process4 signatures5 146 Contains functionality to inject code into remote processes 11->146 148 Injects a PE file into a foreign processes 11->148 20 prkVkqYIwv.exe 11->20         started        150 Detected unpacking (changes PE section rights) 14->150 152 Detected unpacking (overwrites its own PE header) 14->152 154 Writes to foreign memory regions 14->154 156 Allocates memory in foreign processes 14->156 23 svchost.exe 14->23         started        158 Machine Learning detection for dropped file 16->158 26 aarcfwh 16->26         started        28 WerFault.exe 18->28         started        30 aarcfwh 18->30         started        process6 dnsIp7 116 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->116 118 Maps a DLL or memory area into another process 20->118 120 Checks if the current machine is a virtual machine (disk enumeration) 20->120 32 explorer.exe 10 20->32 injected 96 microsoft-com.mail.protection.outlook.com 104.47.53.36, 25, 49814 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->96 98 patmushta.info 94.142.143.116, 443, 49815, 49922 IHOR-ASRU Russian Federation 23->98 122 System process connects to network (likely due to code injection or exploit) 23->122 124 Creates a thread in another existing process (thread injection) 26->124 signatures8 process9 dnsIp10 84 185.233.81.115, 443, 49780 SUPERSERVERSDATACENTERRU Russian Federation 32->84 86 81.163.30.181, 49888, 49895, 49897 IR-RASANAPISHTAZIR Russian Federation 32->86 88 11 other IPs or domains 32->88 72 C:\Users\user\AppData\Roaming\aarcfwh, PE32 32->72 dropped 74 C:\Users\user\AppData\Local\Temp\FB93.exe, PE32 32->74 dropped 76 C:\Users\user\AppData\Local\Temp\F1CE.exe, PE32 32->76 dropped 78 11 other malicious files 32->78 dropped 100 System process connects to network (likely due to code injection or exploit) 32->100 102 Benign windows process drops PE files 32->102 104 Deletes itself after installation 32->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->106 37 8B10.exe 32->37         started        40 F1CE.exe 2 32->40         started        43 FB93.exe 3 32->43         started        45 7A08.exe 32->45         started        file11 signatures12 process13 file14 126 Detected unpacking (changes PE section rights) 37->126 128 Detected unpacking (overwrites its own PE header) 37->128 130 Found evasive API chain (may stop execution after checking mutex) 37->130 144 4 other signatures 37->144 80 C:\Users\user\AppData\Local\...\shnhcsqf.exe, PE32 40->80 dropped 132 Machine Learning detection for dropped file 40->132 134 Uses netsh to modify the Windows network and firewall settings 40->134 136 Modifies the windows firewall 40->136 47 cmd.exe 40->47         started        50 cmd.exe 2 40->50         started        52 sc.exe 40->52         started        58 3 other processes 40->58 138 Antivirus detection for dropped file 43->138 140 Injects a PE file into a foreign processes 43->140 54 FB93.exe 43->54         started        142 Multi AV Scanner detection for dropped file 45->142 56 WerFault.exe 23 9 45->56         started        signatures15 process16 file17 82 C:\Windows\SysWOW64\...\shnhcsqf.exe (copy), PE32 47->82 dropped 60 conhost.exe 47->60         started        62 conhost.exe 50->62         started        64 conhost.exe 52->64         started        66 conhost.exe 58->66         started        68 conhost.exe 58->68         started        70 conhost.exe 58->70         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 14:16:20 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ix5dxabklv7cynuh3oyzk7s43ilrlnoxih2a3agwok57opk5rm7a._file
Verdict:
malicious
Similar samples:
013c0a38f83cc7334209e0acbc268edb1f31ff5d6dcf377efc6b769c8450be43
CoinMiner.XMRig
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
CoinMiner.XMRig
06694768182079f742731e4bc2f6c0ffc012417020d04cd798cb8df4f8919f11
CoinMiner.XMRig
14bf8d4e3f7154cdc0f6cc99b1ac2f6504cdbcb72d8e5a86d175bdf12eb84e3f
CoinMiner.XMRig
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
CoinMiner.XMRig
3acc2e00534ea6d6347c0c73761d787305a62b829872ea02febe8984c3d3ae7c
CoinMiner.XMRig
65f908a0dfe5c343457bab4b68004a1b5fceb4e89c28c263ec05479eae182e9a
CoinMiner.XMRig
a70760071dea52443d726965f9feef8a66848b6c6288e9354f8ca1e0e898f624
CoinMiner.XMRig
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
CoinMiner.XMRig
fb34e5cbdfc7f2a045a019ef8a038736c83d60641e6c360278b4baeca9e7721f
CoinMiner.XMRig
+ 6'954 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:arkei family:loaderbot family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220114-rk8dhaghcr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
LoaderBot executable
XMRig Miner Payload
Amadey
Arkei
LoaderBot
Raccoon
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/cfdf1d2a-45de-4e3b-8fe3-dce68924214d/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e
MD5 hash:
1c7cb2cc9f49ccd8f1ab04613e93047a
SHA1 hash:
1cc48a999280c8ccd2f52a314766b5d8e3ef39dd
Link:
https://www.unpac.me/results/cfdf1d2a-45de-4e3b-8fe3-dce68924214d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1970142/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219343/

Comments