MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703
SHA3-384 hash: 4893c6ceb72f9bb937d956bf0ea1fd9e6295efd658f2a868325fc85b2461061eeb312371bac574a4d0291ead19118dc7
SHA1 hash: 999608569c2b55812a6f459f41bcbf586b6e7de3
MD5 hash: 9911b684246fccb29c889ed68dcdac20
humanhash: bluebird-sad-fish-iowa
File name:4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:693'016 bytes
First seen:2023-07-16 12:05:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:UEcus5b+kocdm3aYpPTQgdBpmHF+DxyWPoSFfGiqpT0byy16opTL3tsLRsJKV:PXsF+kVdY7L4Afv+lZmD6QtsLCJKV
Threatray 665 similar samples on MalwareBazaar
TLSH T191E4331621A77D4DECBC5E7E7697981B2526AE7B92C0B3C2C0E289011FD9BFC60251DC
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter vmovupd
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NO NO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703.exe
Verdict:
Malicious activity
Analysis date:
2023-07-16 12:08:24 UTC
Tags:
zgrat backdoor
Link:
https://app.any.run/tasks/1eb202b2-fd41-40a8-abc4-b90a1c5c9969

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/421590/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.88964.403.5073.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Forced system process termination
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed stealer
Link:
https://www.filescan.io/uploads/64b3dd2afeab465ae3505043/reports/c04b00df-3547-4cc7-bcb4-71dca10e6843/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ebf0a47e-9462-400d-9970-7f089ba8b875
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273985
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273985 Sample: dES4gM01Oh.exe Startdate: 16/07/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Sigma detected: Xmrig 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 9 other signatures 2->39 7 Opcode.exe 3 2->7         started        10 dES4gM01Oh.exe 6 2->10         started        process3 file4 45 Multi AV Scanner detection for dropped file 7->45 47 Machine Learning detection for dropped file 7->47 49 Modifies the context of a thread in another process (thread injection) 7->49 51 Injects a PE file into a foreign processes 7->51 13 RegAsm.exe 16 2 7->13         started        21 C:\Users\user\AppData\Roaming\...\Opcode.exe, PE32+ 10->21 dropped 23 C:\Users\user\...\Opcode.exe:Zone.Identifier, ASCII 10->23 dropped 25 C:\Users\user\AppData\...\dES4gM01Oh.exe.log, CSV 10->25 dropped signatures5 process6 dnsIp7 29 185.225.74.200, 39001, 44810, 49697 MAYAKBG Germany 13->29 31 marketwatch.cc 188.114.96.7, 443, 49699 CLOUDFLARENETUS European Union 13->31 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->53 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->57 59 Injects a PE file into a foreign processes 13->59 17 AddInProcess.exe 13->17         started        signatures8 process9 dnsIp10 27 xmr.2miners.com 162.19.139.184, 2222, 49706 CENTURYLINK-US-LEGACY-QWESTUS United States 17->27 41 Query firmware table information (likely to detect VMs) 17->41 signatures11 43 Detected Stratum mining protocol 27->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703/
Threat name:
Win64.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-07-16 12:06:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5in77zrrphvxj57imwmicugqfaka63phunicff52ys2oytzs4bq._file
Verdict:
malicious
Similar samples:
03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
CoinMiner
11ec89ea5da82e62e0a851d6bc49f38b39cd7ab6db3b254029fe9f923fce0d7b
CoinMiner
1c758992ed57930115ba585a43bc0a7a750a476206cf1999bf3333f26fc230f2
CoinMiner
2dc6a762fbcc017cddee0b0099ffcc61af6336f4444e911997e4af2635c8f183
CoinMiner
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
CoinMiner
6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda
CoinMiner
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1
CoinMiner
8e81c784f79eb9358991ca3b1bab8c5d1ddaaa70a849fe7527ed005063d6c092
CoinMiner
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
CoinMiner
+ 655 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230716-n9qm7sef74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703
MD5 hash:
9911b684246fccb29c889ed68dcdac20
SHA1 hash:
999608569c2b55812a6f459f41bcbf586b6e7de3
Link:
https://www.unpac.me/results/cdb87f22-c245-4dee-99d8-6620cce12661/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4750dfff318b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe d554c3844613b585d9b9399ec67bc75ad368a45cf0a06a8bdd4c06a29232e10b

CoinMiner

Executable exe 4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703

(this sample)

Executable exe dffca632e4ef9880cbfd078c90ba28a26c062c26bc93b8be1a9467443d92e61a

  
Dropped by
SHA256 d554c3844613b585d9b9399ec67bc75ad368a45cf0a06a8bdd4c06a29232e10b
  
Dropping
SHA256 dffca632e4ef9880cbfd078c90ba28a26c062c26bc93b8be1a9467443d92e61a
Cape
Cape
https://www.capesandbox.com/analysis/421590/
  
Dropping
MD5 9f6c2ab67ba17d3e92d95b2ecda7aeb7
  
Dropped by
MD5 a652cccb8e0025f5aa4425cd4a3d2cc4

Comments