MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080
SHA3-384 hash: 868b8d3cd0ced427aa793c7849911f17f4828653f0f8feb679b888de6396978cee5c7a5517fa4c05dcdc806c7eea8688
SHA1 hash: 91c0e54864cb10b7580813f7fa8cd611a2245450
MD5 hash: 5793263628d9bc593d8de27570618176
humanhash: finch-friend-lemon-tennessee
File name:5793263628d9bc593d8de27570618176.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'061'888 bytes
First seen:2023-10-16 08:14:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:D4YMaXI/6JEtsJcQxeSUVxHNd1DySU7L5z:8YKEEtsrxepVxtdhBUR
Threatray 2 similar samples on MalwareBazaar
TLSH T1C3353A50E7F9E609E0FE4231DDB062D0A2B26E737722D279CC06F565386C6D78DC0A66
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
5793263628d9bc593d8de27570618176.exe
Verdict:
Malicious activity
Analysis date:
2023-10-16 08:23:24 UTC
Tags:
opendir loader trojan amadey botnet stealer privateloader evasion risepro stealc redline ransomware stop smoke sinkhole vidar arkei
Link:
https://app.any.run/tasks/49203ed6-c059-4c66-9bc8-580a8735cbfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454756/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.19231.8128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching cmd.exe command interpreter
Creating a window
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652cf116e66ef03f1779aa78/reports/7e0527a8-9a2a-408d-af9e-c087944a2668/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a59bba4c-3e44-4fc9-b72f-0d092b9bc717
Result
Threat name:
Amadey, Glupteba, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326277
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1326277 Sample: 7fSMGiQY2Q.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 159 Multi AV Scanner detection for domain / URL 2->159 161 Found malware configuration 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 20 other signatures 2->165 11 7fSMGiQY2Q.exe 2 4 2->11         started        14 svchost.exe 2->14         started        17 powershell.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 199 Writes to foreign memory regions 11->199 201 Allocates memory in foreign processes 11->201 203 Adds a directory exclusion to Windows Defender 11->203 205 2 other signatures 11->205 21 AddInProcess32.exe 15 297 11->21         started        26 powershell.exe 23 11->26         started        28 CasPol.exe 11->28         started        155 96.7.232.109 AKAMAI-ASN1EU United States 14->155 157 127.0.0.1 unknown unknown 14->157 30 conhost.exe 17->30         started        32 WerFault.exe 19->32         started        signatures5 process6 dnsIp7 147 85.217.144.143 WS171-ASRU Bulgaria 21->147 149 107.167.110.211 OPERASOFTWAREUS United States 21->149 151 18 other IPs or domains 21->151 103 C:\Users\...\zROhRMkZauaPQTJIWkI9mQXt.exe, PE32 21->103 dropped 105 C:\Users\...\zAihw3OyQVnBkVaDP8tprcsE.exe, PE32 21->105 dropped 107 C:\Users\...\yzfShdtZ1wYnsRSZnR6vzUm7.exe, PE32+ 21->107 dropped 109 158 other malicious files 21->109 dropped 189 Drops script or batch files to the startup folder 21->189 191 Creates HTML files with .exe extension (expired dropper behavior) 21->191 193 Writes many files with high entropy 21->193 34 UdSpXJACQMYn5QYvqrSjya5H.exe 21->34         started        39 2hOi3pfd5t1UKQd0TFcz65wR.exe 21->39         started        41 xqzTnG6nZqLR62rLWWWVD64w.exe 21->41         started        45 9 other processes 21->45 43 conhost.exe 26->43         started        file8 signatures9 process10 dnsIp11 131 87.240.137.134 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 34->131 133 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 34->133 141 13 other IPs or domains 34->141 85 C:\Users\...\zrubfylmRj1YRQkVa4nX6sXx.exe, PE32 34->85 dropped 87 C:\Users\...\xIkGm5PYaejWQYrZu2N8guBv.exe, PE32 34->87 dropped 89 C:\Users\...\xHPG4rTkzmKuyTkAxOwwj3EX.exe, PE32+ 34->89 dropped 97 21 other malicious files 34->97 dropped 167 Creates HTML files with .exe extension (expired dropper behavior) 34->167 169 Disables Windows Defender (deletes autostart) 34->169 171 Tries to harvest and steal browser information (history, passwords, etc) 34->171 183 2 other signatures 34->183 135 107.167.110.218 OPERASOFTWAREUS United States 39->135 137 107.167.125.189 OPERASOFTWAREUS United States 39->137 143 4 other IPs or domains 39->143 91 Opera_installer_2310160828308647400.dll, PE32 39->91 dropped 99 6 other malicious files 39->99 dropped 173 Writes many files with high entropy 39->173 47 2hOi3pfd5t1UKQd0TFcz65wR.exe 39->47         started        50 2hOi3pfd5t1UKQd0TFcz65wR.exe 39->50         started        52 2hOi3pfd5t1UKQd0TFcz65wR.exe 39->52         started        93 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 41->93 dropped 175 Contains functionality to inject code into remote processes 41->175 54 nhdues.exe 41->54         started        139 172.67.222.167 CLOUDFLARENETUS United States 45->139 95 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->95 dropped 101 3 other malicious files 45->101 dropped 177 Detected unpacking (changes PE section rights) 45->177 179 Detected unpacking (overwrites its own PE header) 45->179 181 Found Tor onion address 45->181 185 3 other signatures 45->185 file12 signatures13 process14 dnsIp15 113 Opera_installer_2310160828348088000.dll, PE32 47->113 dropped 115 C:\Users\user\AppData\...\opera_gx_splash.exe, PE32+ 47->115 dropped 117 C:\Users\user\AppData\Local\...\opera_elf.dll, PE32+ 47->117 dropped 127 13 other malicious files 47->127 dropped 58 2hOi3pfd5t1UKQd0TFcz65wR.exe 47->58         started        119 Opera_installer_2310160828325047436.dll, PE32 50->119 dropped 121 Opera_installer_2310160828336447724.dll, PE32 52->121 dropped 153 193.42.32.29 EENET-ASEE Germany 54->153 123 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 54->123 dropped 125 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 54->125 dropped 129 2 other malicious files 54->129 dropped 195 Creates an undocumented autostart registry key 54->195 197 Uses schtasks.exe or at.exe to add and modify task schedules 54->197 61 rundll32.exe 54->61         started        63 cmd.exe 54->63         started        65 schtasks.exe 54->65         started        67 rundll32.exe 54->67         started        file16 signatures17 process18 file19 111 Opera_installer_2310160828417738188.dll, PE32 58->111 dropped 69 rundll32.exe 61->69         started        72 conhost.exe 63->72         started        74 cmd.exe 63->74         started        76 cacls.exe 63->76         started        80 4 other processes 63->80 78 conhost.exe 65->78         started        process20 signatures21 187 Tries to harvest and steal browser information (history, passwords, etc) 69->187 82 WerFault.exe 69->82         started        process22 dnsIp23 145 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 82->145
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 05:33:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 36 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrdada5s2mgkbqvmml3a6xgehwqifcs77naq2n7fnbqfditfecaa._file
Verdict:
malicious
Similar samples:
67d9651b26cb6dc1a1d6b9d072b3382555ddd0811d2beb0eab6cab27dfecd8f7
CoinMiner
ef6249a3f7b21f60e30397f6030e09e575458ac3f8409458bf4b17f1eaf23cb4
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:privateloader family:xmrig dropper evasion loader miner trojan upx
Link:
https://tria.ge/reports/231016-j5lfgacg6w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Glupteba
Glupteba payload
PrivateLoader
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
Unpacked files
SH256 hash:
412e2bf4b236ffe1d76e940b1185edb97fdd387e82b232c51260a73704559c0d
MD5 hash:
25a767d7624cdff467b80646129e58c7
SHA1 hash:
05c83728fd08ab1afed2365b24e0fbb9e0911aaa
Link:
https://www.unpac.me/results/14f3ac0b-b58f-497d-bf90-8795d69a1c91/
SH256 hash:
4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080
MD5 hash:
5793263628d9bc593d8de27570618176
SHA1 hash:
91c0e54864cb10b7580813f7fa8cd611a2245450
Link:
https://www.unpac.me/results/14f3ac0b-b58f-497d-bf90-8795d69a1c91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4c460183b2d30ca0c2ac62f60f5cc43da0828a5ffb410d37e5686051a2652080

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2717427/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/454756/

Comments