MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c
SHA3-384 hash: 799944655717c587d9d755e60a7bbaaec4b0517872fb7e24911b5f49e8f3f8733dd99ce782efff26e21833d994ba1b32
SHA1 hash: b89dc8dbadd4da23b78028e2e4c635c146ab30db
MD5 hash: f67efbee10897235f033ca95576dc836
humanhash: beryllium-jupiter-delaware-beryllium
File name:f67efbee10897235f033ca95576dc836
Download: download sample
Signature CoinMiner
Create hunting rule
File size:607'061 bytes
First seen:2021-09-11 18:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 12288:pANwRo+mv8QD4+0V16XTfrUQRPTBLWKpimWx+TXeYhcQlM2Vj8UZe:pAT8QE+kUrUQ1TBbXSYhJBVjNe
Threatray 481 similar samples on MalwareBazaar
TLSH T102D4F135A281857AC16209718C8BD3BAF63ABB045F7C54CFB7DD0E1C8D3734A1A6529B
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://www.hannadog.com
Verdict:
Malicious activity
Analysis date:
2021-09-11 18:39:05 UTC
Tags:
trojan evasion rat redline loader stealer vidar kelihos
Link:
https://app.any.run/tasks/d681f25c-50e0-4642-93ce-60e27e03de80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187091/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7b46154-c28e-4962-b27c-805e1388d226
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849252
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481680 Sample: fIlUUmpx1U Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 107 phonefix.bar 104.21.10.67 CLOUDFLARENETUS United States 2->107 109 xmr-asia1.nanopool.org 2->109 111 4 other IPs or domains 2->111 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 153 18 other signatures 2->153 11 fIlUUmpx1U.exe 16 8 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        20 9 other processes 2->20 signatures3 process4 dnsIp5 81 C:\Program Files (x86)\SmartPDF\...\stats.exe, PE32 11->81 dropped 83 C:\Program Files (x86)\SmartPDF\...\Setup.exe, PE32 11->83 dropped 85 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 11->85 dropped 22 Setup.exe 14 7 11->22         started        27 stats.exe 2 11->27         started        173 Changes security center settings (notifications, updates, antivirus, firewall) 14->173 103 127.0.0.1 unknown unknown 17->103 105 192.168.2.1 unknown unknown 17->105 file6 signatures7 process8 dnsIp9 113 activityhike.com 95.142.37.102 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 22->113 115 platformsforyoutube.top 193.38.50.104 ASBAXETNRU Russian Federation 22->115 117 2 other IPs or domains 22->117 63 C:\Users\user\AppData\...\foradvertising.exe, PE32 22->63 dropped 65 C:\Users\user\AppData\Local\Temp\SMart.exe, PE32 22->65 dropped 67 C:\Users\user\...\PublicDwlBrowser144.exe, PE32 22->67 dropped 69 C:\Users\user\AppData\Local\...\Mortician.exe, PE32 22->69 dropped 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->167 29 PublicDwlBrowser144.exe 22->29         started        34 SMart.exe 15 32 22->34         started        71 C:\Users\user\AppData\Local\...\stats.tmp, PE32 27->71 dropped 36 stats.tmp 3 14 27->36         started        file10 signatures11 process12 dnsIp13 123 iplogger.org 88.99.66.31 HETZNER-ASDE Germany 29->123 125 startupmart.bar 104.21.37.182 CLOUDFLARENETUS United States 29->125 87 C:\ProgramData\7681948.exe, PE32 29->87 dropped 89 C:\ProgramData\4838241.exe, PE32 29->89 dropped 91 C:\ProgramData\4343735.exe, PE32 29->91 dropped 93 C:\ProgramData\3033059.exe, PE32 29->93 dropped 175 Machine Learning detection for dropped file 29->175 38 7681948.exe 29->38         started        42 3033059.exe 29->42         started        127 18.118.84.99 MIT-GATEWAYSUS United States 34->127 129 api.ip.sb 34->129 177 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->177 179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->179 181 Tries to steal Crypto Currency Wallets 34->181 45 conhost.exe 34->45         started        131 ipinfo.io 34.117.59.81, 443, 49737, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 36->131 133 ipqualityscore.com 172.67.72.12, 443, 49739 CLOUDFLARENETUS United States 36->133 135 2 other IPs or domains 36->135 95 C:\Users\user\AppData\Local\...\Setup.exe, PE32+ 36->95 dropped 97 C:\Users\user\AppData\...\itdownload.dll, PE32 36->97 dropped 99 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->99 dropped 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->101 dropped 183 May check the online IP address of the machine 36->183 47 Setup.exe 36->47         started        file14 signatures15 process16 dnsIp17 119 wheelllc.bar 104.21.64.202 CLOUDFLARENETUS United States 38->119 121 172.67.136.53 CLOUDFLARENETUS United States 38->121 155 Multi AV Scanner detection for dropped file 38->155 157 Tries to harvest and steal browser information (history, passwords, etc) 38->157 73 C:\Users\user\AppData\...\WinHoster.exe, PE32 42->73 dropped 159 Detected unpacking (changes PE section rights) 42->159 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 47->75 dropped 77 C:\Users\user\AppData\Local\...\Services.exe, PE32+ 47->77 dropped 79 C:\Users\user\AppData\...\sihost64.exe, PE32+ 47->79 dropped 161 Machine Learning detection for dropped file 47->161 163 Sample is not signed and drops a device driver 47->163 165 Drops PE files with benign system names 47->165 49 Services.exe 47->49         started        52 sihost64.exe 47->52         started        54 cmd.exe 47->54         started        file18 signatures19 process20 signatures21 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->137 139 Machine Learning detection for dropped file 49->139 141 Modifies the context of a thread in another process (thread injection) 49->141 143 Injects a PE file into a foreign processes 49->143 56 Services.exe 52->56         started        145 Uses schtasks.exe or at.exe to add and modify task schedules 54->145 59 conhost.exe 54->59         started        61 schtasks.exe 54->61         started        process22 signatures23 169 Modifies the context of a thread in another process (thread injection) 56->169 171 Injects a PE file into a foreign processes 56->171
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 18:47:08 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jm2hy3vn46hlyaom6lpvxhclajwm3ji4lhwnksn564mguvkgojga._file
Verdict:
malicious
Similar samples:
4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708
CoinMiner
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
CoinMiner
75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
CoinMiner
b93bc07850c2c22986d7b4408131bd34d0fea6f1867933732ae13624fee5fd76
CoinMiner
d94fd5cde3574048397162ee252ed9fd3b6ad79ad02b63eb513c78911c2191ab
CoinMiner
da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
CoinMiner
f54decb2e130b98a9bfe13d57fe46af74d408720f490a1df519417125d2c206c
CoinMiner
+ 471 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:live botnet:sonia30 discovery evasion infostealer miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/210911-xe665sbfd5/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Process spawned unexpected child process
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
18.118.84.99:1050
94.103.94.214:29899
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/0036d00a-936b-4c74-aeaa-d1bfd0eb5100/
SH256 hash:
928d330f080a15fb139eacd3a89c09fd1121aec592aec541672e2931c2a49916
MD5 hash:
8edc20a940ec06aebf773eedd0714e71
SHA1 hash:
cbd0fe5ab5a367d2dfb8b64c2caeebef863adef4
Link:
https://www.unpac.me/results/0036d00a-936b-4c74-aeaa-d1bfd0eb5100/
SH256 hash:
6c003020787c1f10d8aa28ea3624eb4f5adb3abcb59f8384ae9ae0a83a0a99df
MD5 hash:
b1b5ba3788f894a45b691346b66dfba5
SHA1 hash:
1979fedb64948978b5c3f7ff57836fb9fc2fef66
Link:
https://www.unpac.me/results/0036d00a-936b-4c74-aeaa-d1bfd0eb5100/
SH256 hash:
4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c
MD5 hash:
f67efbee10897235f033ca95576dc836
SHA1 hash:
b89dc8dbadd4da23b78028e2e4c635c146ab30db
Link:
https://www.unpac.me/results/0036d00a-936b-4c74-aeaa-d1bfd0eb5100/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4b347c6eade78ebc01ccf2df5b9c4b026ccda51c59ecd549bdf7186a5546724c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1611560/
Cape
Cape
https://www.capesandbox.com/analysis/187091/

Comments


Avatar
zbet commented on 2021-09-11 18:46:34 UTC

url : hxxp://c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com/Download/SmartPDF.exe