MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8
SHA3-384 hash: f12415942def5d110aefbec4ab2505651333d6ab6e401ddf0bab39c3139a6ac8a18675d8cbd51d2695f785088f11a57c
SHA1 hash: f5beda1a8599b043483bc21db2f1ea80795246c7
MD5 hash: f56e50f8ee4dfb577cbb3f53f42ed20c
humanhash: burger-blue-purple-kentucky
File name:f56e50f8ee4dfb577cbb3f53f42ed20c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'574'272 bytes
First seen:2022-07-14 04:26:41 UTC
Last seen:2022-07-15 03:22:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cb2fea05369697a6eaeb692aa62f1b70 (1 x CoinMiner)
ssdeep 98304:L2CgTecDhJLSeX4VDgtLEycahCF/sFQTxEgzuNwKT4mxM/:oqcDvX4KoxZsFQTxdywtmxM
Threatray 2'072 similar samples on MalwareBazaar
TLSH T135F5016A61403798C45BC1BC4533ED8AB3F6161E0FE9A5DE71EBB6C077EA850DA42F01
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter openctibr
Tags:CoinMiner exe OpenCTI.BR Sandboxed

Intelligence

File Origin
# of uploads :
3
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c16be95ae9d0a7dd8d96898a690c34be3b258416865f1b250c3cbed936a6462d.zip
Verdict:
Malicious activity
Analysis date:
2022-07-10 16:12:37 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/cf09c2b7-f844-493e-9f91-c9d0dc788fe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287942/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.22923.16677.8916.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Delayed reading of the file
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Launching a process
Launching the process to change network settings
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62cf9b1fec671b846f906a0c/reports/67674213-806e-4f7b-9ead-07a5dcfa7e6e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b720c2e-46c5-4b81-9ecb-61f42d7f0c2f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1032064
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates files in the system32 config directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 664558 Sample: bQQHP9ciRL Startdate: 15/07/2022 Architecture: WINDOWS Score: 100 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 4 other signatures 2->97 11 bQQHP9ciRL.exe 41 2->11         started        16 System.exe 19 2->16         started        process3 dnsIp4 81 api.telegram.org 149.154.167.220, 443, 49754, 49771 TELEGRAMRU United Kingdom 11->81 83 cdn.discordapp.com 162.159.129.233, 443, 49755, 49762 CLOUDFLARENETUS United States 11->83 89 2 other IPs or domains 11->89 73 C:\ProgramData\UpSys.exe, PE32+ 11->73 dropped 75 C:\ProgramData\Systemd\old.exe (copy), PE32+ 11->75 dropped 77 C:\ProgramData\Systemd\mvsc32.exe, PE32+ 11->77 dropped 79 3 other files (2 malicious) 11->79 dropped 107 May check the online IP address of the machine 11->107 109 Modifies the windows firewall 11->109 111 Adds a directory exclusion to Windows Defender 11->111 18 mvsc32.exe 11->18         started        21 powershell.exe 30 11->21         started        23 WerFault.exe 11->23         started        32 14 other processes 11->32 85 192.168.2.1 unknown unknown 16->85 87 api.ipify.org 16->87 113 Multi AV Scanner detection for dropped file 16->113 115 Machine Learning detection for dropped file 16->115 117 Tries to detect virtualization through RDTSC time measurements 16->117 26 powershell.exe 16->26         started        28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        34 3 other processes 16->34 file5 signatures6 process7 file8 99 Antivirus detection for dropped file 18->99 101 Multi AV Scanner detection for dropped file 18->101 103 Machine Learning detection for dropped file 18->103 105 Uses netsh to modify the Windows network and firewall settings 21->105 36 UpSys.exe 21->36         started        38 conhost.exe 21->38         started        40 netsh.exe 21->40         started        71 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->71 dropped 42 UpSys.exe 26->42         started        48 2 other processes 26->48 50 2 other processes 28->50 44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        52 17 other processes 32->52 signatures9 process10 process11 54 UpSys.exe 36->54         started        56 UpSys.exe 42->56         started        process12 58 UpSys.exe 54->58         started        60 UpSys.exe 56->60         started        process13 62 powershell.exe 58->62         started        65 powershell.exe 60->65         started        signatures14 119 Creates files in the system32 config directory 62->119 67 conhost.exe 62->67         started        69 conhost.exe 65->69         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 17:35:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbwp4f2zmzx3coo45z2xmn7hydmslbwkv5qcb23awrk5ppjckhua._file
Verdict:
malicious
Similar samples:
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
CoinMiner
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
CoinMiner
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
CoinMiner
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
CoinMiner
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
CoinMiner
bc12a9f0d046b1c0e2d783f1ad825a0190669e36b00f1070d32bd55566be85ef
CoinMiner
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
CoinMiner
e0ba9bc255356e77c0953b12176294874fedc482796db4c2a3e8e23e1085ae0e
CoinMiner
f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797
CoinMiner
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
CoinMiner
+ 2'062 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/220714-e25ygsgde3/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
XMRig Miner payload
Modifies security service
xmrig
Unpacked files
SH256 hash:
786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8
MD5 hash:
f56e50f8ee4dfb577cbb3f53f42ed20c
SHA1 hash:
f5beda1a8599b043483bc21db2f1ea80795246c7
Link:
https://www.unpac.me/results/7a5cf911-f628-47f5-a1b6-d4124161ee52/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/786cfe175966/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/287942/

Comments