MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b
SHA3-384 hash: 3425c1761888276d99bddbd24415b0d1a38f81efd00695532401f9341f5227ae3d42ea4f347d71d144481b8cc282edbe
SHA1 hash: f386ba812dde59f9f5dc6225ac76c5395c51658f
MD5 hash: d058070185ce0073e1985adf8ec980c1
humanhash: ink-hotel-eleven-oxygen
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'771'712 bytes
First seen:2023-06-13 15:01:52 UTC
Last seen:2025-01-23 17:23:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e02b276fa1385eca0c7dc7a4b0d621ad (1 x Tofsee, 1 x RedLineStealer, 1 x PrivateLoader)
ssdeep 196608:8LxItOkvQML7XD13Uxy87lPKpFIey6Jre:8utrvZfXp3ey87lkFBy6
Threatray 185 similar samples on MalwareBazaar
TLSH T1CC6623332211808DD0EAC535D53BECF472F62EBAC681687F75AA7CC6393B5A58613913
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d6e8e8e8e8e8e8d6 (2 x PrivateLoader, 1 x RedLineStealer, 1 x CoinMiner)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc228185173_661474995?hash=ngbrX548PNwmO62piUAzo3za7V0SLpwMeOYARFPg9vk&dl=GdO4pFVV2NMD12LImqluZ4Bi9ACF30Jro63eHRLZyCs&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
306
# of downloads :
341
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 15:04:49 UTC
Tags:
evasion privateloader loader amadey smoke trojan kelihos
Link:
https://app.any.run/tasks/ab568c34-9179-494a-adda-6e245aa85bd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398459/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.1758.9759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Forced system process termination
Creating a window
Searching for synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Launching a tool to kill processes
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90500/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed packed shell32.dll
Link:
https://www.filescan.io/uploads/648884ebc6414862d206ed38/reports/e29abb42-3db1-4787-9c68-a2d2d42f26fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d213fec7-0a05-4762-b154-4159df6aaafd
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253715
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
DNS related to crypt mining pools
Found C&C like URL pattern
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 886732 Sample: file.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 129 45.12.253.72 CMCSUS Germany 2->129 131 45.12.253.75 CMCSUS Germany 2->131 133 5 other IPs or domains 2->133 155 Snort IDS alert for network traffic 2->155 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 22 other signatures 2->161 12 file.exe 10 23 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 143 45.15.156.229, 49684, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->143 145 45.9.74.80, 49690, 49692, 49694 FIRST-SERVER-EU-ASRU Russian Federation 12->145 147 2 other IPs or domains 12->147 123 C:\Users\...\opkd03gfeJavyCRM2qsGYAjb.exe, PE32 12->123 dropped 125 C:\Users\user\AppData\Local\...\obins[1].exe, PE32 12->125 dropped 127 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 12->127 dropped 207 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->207 209 May check the online IP address of the machine 12->209 211 Creates HTML files with .exe extension (expired dropper behavior) 12->211 215 4 other signatures 12->215 23 opkd03gfeJavyCRM2qsGYAjb.exe 5 12->23         started        213 Query firmware table information (likely to detect VMs) 17->213 26 WerFault.exe 19->26         started        28 WerFault.exe 19->28         started        30 WerFault.exe 19->30         started        32 WerFault.exe 19->32         started        file6 signatures7 process8 file9 101 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 23->101 dropped 103 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 23->103 dropped 105 C:\Users\user\AppData\Local\...\2a344302.exe, PE32 23->105 dropped 34 newplayer.exe 3 23->34         started        38 2a344302.exe 23->38         started        40 ss41.exe 15 23->40         started        process10 dnsIp11 95 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 34->95 dropped 163 Multi AV Scanner detection for dropped file 34->163 165 Contains functionality to inject code into remote processes 34->165 43 oneetx.exe 27 34->43         started        167 Detected unpacking (changes PE section rights) 38->167 169 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->169 171 Maps a DLL or memory area into another process 38->171 177 2 other signatures 38->177 47 explorer.exe 38->47 injected 137 us.imgjeoigaa.com 154.221.19.146, 49691, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 40->137 139 as.imgjeoigaa.com 39.109.117.57, 49693, 49696, 49705 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 40->139 141 192.168.2.1 unknown unknown 40->141 97 C:\Users\...\ffb1140d075244b2d16b639f23deda7b, SQLite 40->97 dropped 173 Contains functionality to steal Chrome passwords or cookies 40->173 175 Tries to harvest and steal browser information (history, passwords, etc) 40->175 50 taskkill.exe 1 40->50         started        52 taskkill.exe 1 40->52         started        file12 signatures13 process14 dnsIp15 107 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 43->107 dropped 109 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 43->109 dropped 111 C:\Users\user\AppData\Local\...\setup.exe, PE32 43->111 dropped 121 5 other malicious files 43->121 dropped 193 Multi AV Scanner detection for dropped file 43->193 195 Creates an undocumented autostart registry key 43->195 197 Uses schtasks.exe or at.exe to add and modify task schedules 43->197 54 setup.exe 43->54         started        58 3eef203fb515bda85f514e168abb5973.exe 43->58         started        60 toolspub2.exe 43->60         started        70 3 other processes 43->70 149 95.164.86.244 VAKPoltavaUkraineUA Gibraltar 47->149 151 201.124.226.142 UninetSAdeCVMX Mexico 47->151 153 4 other IPs or domains 47->153 113 C:\Users\user\AppData\Roaming\wafvfed, PE32 47->113 dropped 115 C:\Users\user\AppData\Local\TempB7A.exe, PE32 47->115 dropped 117 C:\Users\user\AppData\Local\Temp\A7BE.exe, PE32 47->117 dropped 119 C:\Users\user\AppData\Local\Temp\6A38.exe, PE32 47->119 dropped 199 System process connects to network (likely due to code injection or exploit) 47->199 201 Benign windows process drops PE files 47->201 203 Adds a directory exclusion to Windows Defender 47->203 205 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->205 62 cmd.exe 47->62         started        64 cmd.exe 47->64         started        73 2 other processes 47->73 66 conhost.exe 50->66         started        68 conhost.exe 52->68         started        file16 signatures17 process18 dnsIp19 135 45.12.253.56, 49797, 80 CMCSUS Germany 54->135 179 Multi AV Scanner detection for dropped file 54->179 181 Detected unpacking (changes PE section rights) 54->181 183 Detected unpacking (overwrites its own PE header) 54->183 83 4 other processes 54->83 75 powershell.exe 58->75         started        185 Injects a PE file into a foreign processes 60->185 77 toolspub2.exe 60->77         started        187 Uses powercfg.exe to modify the power settings 62->187 189 Modifies power options to not sleep / hibernate 62->189 85 4 other processes 62->85 87 4 other processes 64->87 99 C:\Program Files99otepad\Chrome\updater.exe, PE32+ 70->99 dropped 191 Adds a directory exclusion to Windows Defender 70->191 79 conhost.exe 70->79         started        81 conhost.exe 70->81         started        89 6 other processes 70->89 91 2 other processes 73->91 file20 signatures21 process22 process23 93 conhost.exe 75->93         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b/
Threat name:
Win32.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 15:02:08 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2rtpnzgapz4mtibnb2sljivtn7gzkm6cimpz3xdbzfn24dctfnq._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
CoinMiner
0fe82d10bd3a8156f1953f239d6afb87ede65c2f9b83bc76aed9a7f09ef55f26
CoinMiner
107c9c7d4ae2a5116eb395a8a5fc6e4de7b9fe60bf7ccadcbb7c14ae1049cdac
CoinMiner
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
CoinMiner
33f93086c8ad0c614e01c503d5c299b5fc86c480007597756de02884bccc5e67
CoinMiner
5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac
CoinMiner
64d45bc38d4a4e60a23bb5fa06a2b99ec40bd86c8f0cdd7c68736ab192569e49
CoinMiner
c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
CoinMiner
e3d9fe1d6d23c0641c40e3b3eeda4b08f47f6b93e4afad127436fbaf61a7df4a
CoinMiner
f1c89c1085ed01fc56fe12cc23d1a98f5c9b0029fe45cb425f5ffb62d8e71176
CoinMiner
+ 175 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:gcleaner family:glupteba family:privateloader family:smokeloader family:xmrig botnet:pub5 botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/230613-seflzagg54/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Detects videocard installed
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
VMProtect packed file
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
GCleaner
Glupteba
Glupteba payload
Modifies security service
PrivateLoader
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b
MD5 hash:
d058070185ce0073e1985adf8ec980c1
SHA1 hash:
f386ba812dde59f9f5dc6225ac76c5395c51658f
Link:
https://www.unpac.me/results/c7d75b68-dfc5-42e5-86f1-411d313a3a8b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56a337b72603/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/398459/

Comments