MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911
SHA3-384 hash: daef8708fcd99baa944efcc93c39aba80489e7ceb014777c7d517556b75a8ae4bd94c0863995ad1ddc387315f2d97f80
SHA1 hash: 94f64bc505c3036a4ef0a275e70be8d38f6c0710
MD5 hash: 5393e992690ce0c4e2e51695dd572968
humanhash: mississippi-seven-shade-burger
File name:5393e992690ce0c4e2e51695dd572968.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:301'568 bytes
First seen:2022-01-09 15:06:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 494d9e5cf9082316783ab2dc17a63b60 (1 x CoinMiner.XMRig, 1 x RaccoonStealer)
ssdeep 3072:WMsLsJFfpZVVPtFFgjXRFLp0xrfTBcl8WrxpzbgqruJ3fedz:WMsLyFjr3FsoTBDuzbgwuJ2
Threatray 6'215 similar samples on MalwareBazaar
TLSH T14C54BF3DBAECC832C4D306B49864DBD15A3EBC315965814B36241B6E5E33ECC4AE631E
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c0 (41 x RedLineStealer, 30 x RaccoonStealer, 9 x Smoke Loader)
Reporter abuse_ch
Tags:CoinMiner.XMRig exe


Avatar
abuse_ch
CoinMiner.XMRig C2:
45.9.20.101:23970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.101:23970 https://threatfox.abuse.ch/ioc/292069/

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5393e992690ce0c4e2e51695dd572968.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-09 15:08:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/060a91cc-6f3f-44b2-ba2e-8f5805c2d0a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217915/
Detection(s):
Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Packed.Lockbit-9919158-0
Create hunting rule

Win.Dropper.Tofsee-9919472-0
Create hunting rule

Win.Dropper.Lockbit-9919572-0
Create hunting rule

Win.Malware.Stopcrypt-9933337-0
Create hunting rule

Win.Dropper.Tofsee-9934046-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3926/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61daf9de1c0d769df9dbebb1/reports/ce9c7227-549c-41b6-9c2e-bdaba5204679/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b7d2691-b19b-422d-811d-8eec841032aa
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917316
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 549792 Sample: XrXNyZO97R.exe Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 82 patmushta.info 2->82 84 microsoft-com.mail.protection.outlook.com 2->84 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 Antivirus detection for URL or domain 2->134 136 14 other signatures 2->136 11 XrXNyZO97R.exe 2->11         started        13 sfjedje 2->13         started        16 cjjedje 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 20 XrXNyZO97R.exe 11->20         started        148 Multi AV Scanner detection for dropped file 13->148 150 Contains functionality to inject code into remote processes 13->150 152 Injects a PE file into a foreign processes 13->152 23 sfjedje 13->23         started        154 Detected unpacking (changes PE section rights) 16->154 156 Machine Learning detection for dropped file 16->156 158 Maps a DLL or memory area into another process 16->158 164 2 other signatures 16->164 160 Writes to foreign memory regions 18->160 162 Allocates memory in foreign processes 18->162 25 svchost.exe 18->25         started        process6 dnsIp7 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->138 140 Maps a DLL or memory area into another process 20->140 142 Checks if the current machine is a virtual machine (disk enumeration) 20->142 28 explorer.exe 6 20->28 injected 144 Creates a thread in another existing process (thread injection) 23->144 88 microsoft-com.mail.protection.outlook.com 104.47.53.36, 25, 49806 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->88 90 patmushta.info 94.142.141.254, 443, 49809, 49827 IHOR-ASRU Russian Federation 25->90 146 System process connects to network (likely due to code injection or exploit) 25->146 signatures8 process9 dnsIp10 92 amogohuigotuli.at 28->92 94 185.233.81.115, 443, 49774 SUPERSERVERSDATACENTERRU Russian Federation 28->94 96 16 other IPs or domains 28->96 74 C:\Users\user\AppData\Roaming\sfjedje, PE32 28->74 dropped 76 C:\Users\user\AppData\Roaming\cjjedje, PE32 28->76 dropped 78 C:\Users\user\AppData\Local\Temp\D754.exe, PE32 28->78 dropped 80 6 other malicious files 28->80 dropped 166 System process connects to network (likely due to code injection or exploit) 28->166 168 Benign windows process drops PE files 28->168 170 Deletes itself after installation 28->170 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->172 33 41B5.exe 28->33         started        36 C717.exe 2 28->36         started        39 C5B3.exe 28->39         started        41 3 other processes 28->41 file11 signatures12 process13 file14 98 Multi AV Scanner detection for dropped file 33->98 100 Detected unpacking (changes PE section rights) 33->100 102 Machine Learning detection for dropped file 33->102 118 4 other signatures 33->118 70 C:\Users\user\AppData\Local\...\euisuyhc.exe, PE32 36->70 dropped 104 Detected unpacking (overwrites its own PE header) 36->104 106 Uses netsh to modify the Windows network and firewall settings 36->106 108 Modifies the windows firewall 36->108 43 cmd.exe 1 36->43         started        46 cmd.exe 2 36->46         started        48 sc.exe 1 36->48         started        56 3 other processes 36->56 110 Injects a PE file into a foreign processes 39->110 50 C5B3.exe 39->50         started        112 Query firmware table information (likely to detect VMs) 41->112 114 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->114 116 Tries to evade analysis by execution special instruction which cause usermode exception 41->116 120 2 other signatures 41->120 53 D754.exe 2 41->53         started        signatures15 process16 dnsIp17 72 C:\Windows\SysWOW64\...\euisuyhc.exe (copy), PE32 43->72 dropped 58 conhost.exe 43->58         started        60 conhost.exe 46->60         started        62 conhost.exe 48->62         started        122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 50->122 124 Maps a DLL or memory area into another process 50->124 126 Checks if the current machine is a virtual machine (disk enumeration) 50->126 128 Creates a thread in another existing process (thread injection) 50->128 86 86.107.197.138, 38133, 49814 MOD-EUNL Romania 53->86 64 conhost.exe 56->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 15:07:10 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kx2cte22dtgr33mgs2gh5zuiumljamlyttsldqr22i3v3lxy3eiq._file
Verdict:
malicious
Similar samples:
0f8a5ba0f6b15a60ca6a3d8f0687acf972cfd399078bfc342db76409f6bf2214
CoinMiner.XMRig
13b783d0b5826a825f6c402d295622d1913510155bdccbaad15b4bc633108523
CoinMiner.XMRig
3acc2e00534ea6d6347c0c73761d787305a62b829872ea02febe8984c3d3ae7c
CoinMiner.XMRig
4883c8f935d8c8397ffb003f72e4e515501820ebd37ca079c478ba5b7ed7b3d4
CoinMiner.XMRig
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
CoinMiner.XMRig
b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb
CoinMiner.XMRig
d6b47354dff2693d279b357d0901496908922679207ebef447e78160cd45bdf3
CoinMiner.XMRig
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
CoinMiner.XMRig
+ 6'205 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:loaderbot family:raccoon family:smokeloader family:tofsee backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220109-sgspbadhep/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
LoaderBot executable
Arkei
LoaderBot
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
patmushta.info
parubey.info
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/9ac81005-b7a1-4ed7-b56e-7d3724ef4740/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911
MD5 hash:
5393e992690ce0c4e2e51695dd572968
SHA1 hash:
94f64bc505c3036a4ef0a275e70be8d38f6c0710
Link:
https://www.unpac.me/results/9ac81005-b7a1-4ed7-b56e-7d3724ef4740/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/55f429935a1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1928874/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1950845/
Cape
Cape
https://www.capesandbox.com/analysis/217915/

Comments