MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd
SHA3-384 hash: 21976be94e2f60db382fe57e1ff8130f36ef7f7c1f99a3961ead39bdb8c0540729a3a2bc229c3f710cdaee9518477ba0
SHA1 hash: 472bb042dc730fddad7d4dd3b48d4369de463845
MD5 hash: 47d27bb5f4a208f3081471d00e87d1e4
humanhash: fix-vegan-cola-solar
File name:47d27bb5f4a208f3081471d00e87d1e4
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'677'184 bytes
First seen:2023-07-03 12:54:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4170fdb8933a7ec27e3266f6fc460d37 (5 x RedLineStealer, 1 x CoinMiner)
ssdeep 24576:wtpH9qTz57hM4/btkcXoTYMl6cexqJJnDIT69NyvONbeKtppAFZg+v:qM57hr7+MxqJJnsT69dbeKtp4
Threatray 38 similar samples on MalwareBazaar
TLSH T1FC068B11F4C14B9BD77324B498DA84B296BF46210F5161DBFBE810C49BF92F49F322A9
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47d27bb5f4a208f3081471d00e87d1e4
Verdict:
Suspicious activity
Analysis date:
2023-07-03 12:57:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc11613a-1bb0-4120-b880-195508cd6768

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/405924/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.GRW@IHbktgci.30267.8655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a window
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95321/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/64a2c52b3d1253262b2d3dde/reports/af2e4919-e85a-4a48-b2e5-84f3eb99a4df/overview
Verdict:
Malicious
Labled as:
Trojan.Heur2.Generic
Link:
https://www.hybrid-analysis.com/sample/618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9eec192f-2d60-44b3-aa10-39f7dbcc5dc7
Result
Threat name:
MinerDownloader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266018
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266018 Sample: 33k7J6zwKH.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Generic MinerDownloader 2->54 56 Yara detected Xmrig cryptocurrency miner 2->56 58 4 other signatures 2->58 9 33k7J6zwKH.exe 2->9         started        process3 signatures4 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Injects a PE file into a foreign processes 9->66 12 AppLaunch.exe 1 9->12         started        15 WerFault.exe 23 9 9->15         started        process5 file6 72 Contains functionality to inject code into remote processes 12->72 74 Injects a PE file into a foreign processes 12->74 18 AppLaunch.exe 15 31 12->18         started        23 conhost.exe 12->23         started        46 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->46 dropped signatures7 process8 dnsIp9 48 github.com 140.82.121.3, 443, 49725, 49726 GITHUBUS United States 18->48 50 pastebin.com 172.67.34.170, 443, 49724 CLOUDFLARENETUS United States 18->50 44 C:\ProgramData\HostData\logs.uce, ASCII 18->44 dropped 60 Sample is not signed and drops a device driver 18->60 25 cmd.exe 1 18->25         started        28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        file10 signatures11 process12 signatures13 68 Encrypted powershell cmdline option found 25->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 25->70 32 powershell.exe 20 25->32         started        34 conhost.exe 25->34         started        36 conhost.exe 28->36         started        38 schtasks.exe 1 28->38         started        40 conhost.exe 30->40         started        42 schtasks.exe 1 30->42         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-02 19:40:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mggvov6pav5rllcgba2awld7mqn7kztb3jibwueewd5jeevb3t6q._file
Verdict:
malicious
Similar samples:
0010b7ec1d9f4bea9f2ca750de9467dc81b75cbb2b4c82f4843e863615409f1e
CoinMiner
02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
CoinMiner
0e59fafb2de30f5fa5b6cce425f40115180b373592e1a201702742a6e8f21cc9
CoinMiner
43f7dfd100d1188143e4ab71a4f513c85568e2b1a9999690618e3f3eaebd4099
CoinMiner
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
CoinMiner
99140bcea0df5df002662cbbbbf8de1369bad231868368015a29e57c5cd9b80f
CoinMiner
d0873782fa5d4851ddd95e98767467d177e1b42a684b202cd681968ea2ece832
CoinMiner
db78b5b857378304d5d72a826a2f1e261a71791eda971bf952cbd8182bbc62bd
CoinMiner
dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
CoinMiner
dcbc00932f5016baaa92523df27c27a836f674381bb8a392f4f58781a483adbc
CoinMiner
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230703-p5r6xahg51/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1a2429e3b6098b0505567ed65528f6d61413af340d30ce495518abf8d5a9cf04
MD5 hash:
15edaecbc89606fe9d9d6b971afd9abe
SHA1 hash:
7b730e9ff4550afc7a96748e0c6f84f3d7d26853
Link:
https://www.unpac.me/results/ac69aa09-6464-4c5d-9355-b7cdcaf916ff/
SH256 hash:
618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd
MD5 hash:
47d27bb5f4a208f3081471d00e87d1e4
SHA1 hash:
472bb042dc730fddad7d4dd3b48d4369de463845
Link:
https://www.unpac.me/results/ac69aa09-6464-4c5d-9355-b7cdcaf916ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/618d5757cf05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/405924/
  
URLhaus
https://urlhaus.abuse.ch/url/2675973/

Comments


Avatar
zbet commented on 2023-07-03 12:54:35 UTC

url : hxxps://acienco.com/mmfqdf2p9r107.exe