MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
SHA3-384 hash: 181886b310d049399afc2208e8523feabe68e573a887cced0747e11788e8bf4317a60f365d7cd783d33b429d7d77646e
SHA1 hash: 00abbc6a45d7009d8e166794289b39d0bb709ba5
MD5 hash: 6f78118b606c3c7c9bad1a9e0671cda8
humanhash: green-tennis-connecticut-seven
File name:Software updated by Dylox.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'303'436 bytes
First seen:2021-10-26 15:35:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:Bdb8T8lq8QlichCypby5gVraEog2F36dklnAqG:BOT8cUcQypbDVrEg2F6d0G
Threatray 1'285 similar samples on MalwareBazaar
TLSH T121E533F0808472E0C1FF54F9FAB0E7A5C81D8273D09855F5DAB595EA90BB527B3D9280
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200312/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Searching for analyzing tools
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61782066a9d585e6d5395dac/reports/5dfd861a-aab3-42cc-8c54-9f06c0044f20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ef9a870-5eaa-4caf-8ed9-ce6dd30da266
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877156
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509591 Sample: Software updated by Dylox.exe Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 104 pool.hashvault.pro 131.153.142.106, 49729, 49731, 80 SSASN2US United States 2->104 106 pastebin.com 104.23.98.190, 443, 49730 CLOUDFLARENETUS United States 2->106 108 127.0.0.1 unknown unknown 2->108 130 Sigma detected: Xmrig 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 13 other signatures 2->136 13 Software updated by Dylox.exe 15 7 2->13         started        18 services64.exe 2->18         started        20 services32.exe 2->20         started        22 svchost.exe 2->22         started        signatures3 process4 dnsIp5 112 82.146.43.167, 49713, 49714, 80 THEFIRST-ASRU Russian Federation 13->112 114 iplogger.org 88.99.66.31, 443, 49715 HETZNER-ASDE Germany 13->114 94 C:\Users\user\AppData\Local\...\Server32.exe, PE32 13->94 dropped 96 C:\Users\user\AppData\...\Datafile64.exe, PE32+ 13->96 dropped 98 C:\Users\user\AppData\...\Datafile32.exe, PE32+ 13->98 dropped 100 C:\...\Software updated by Dylox.exe.log, ASCII 13->100 dropped 176 Query firmware table information (likely to detect VMs) 13->176 178 Hides threads from debuggers 13->178 180 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->180 24 Datafile64.exe 13->24         started        27 Datafile32.exe 13->27         started        29 Server32.exe 2 13->29         started        182 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->182 184 Writes to foreign memory regions 18->184 186 Allocates memory in foreign processes 18->186 188 Creates a thread in another existing process (thread injection) 20->188 31 conhost.exe 2 20->31         started        file6 signatures7 process8 signatures9 140 Query firmware table information (likely to detect VMs) 24->140 142 Writes to foreign memory regions 24->142 144 Allocates memory in foreign processes 24->144 158 2 other signatures 24->158 33 conhost.exe 3 24->33         started        146 Multi AV Scanner detection for dropped file 27->146 148 Creates a thread in another existing process (thread injection) 27->148 37 conhost.exe 4 27->37         started        150 Antivirus detection for dropped file 29->150 152 Machine Learning detection for dropped file 29->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->154 39 Server32.exe 29->39         started        42 conhost.exe 29->42         started        156 Adds a directory exclusion to Windows Defender 31->156 44 cmd.exe 31->44         started        process10 dnsIp11 90 C:\Windows\System32\services64.exe, PE32+ 33->90 dropped 46 cmd.exe 33->46         started        49 cmd.exe 1 33->49         started        51 cmd.exe 33->51         started        92 C:\Users\user\services32.exe, PE32+ 37->92 dropped 124 Drops PE files to the user root directory 37->124 126 Uses nslookup.exe to query domains 37->126 128 Adds a directory exclusion to Windows Defender 37->128 53 cmd.exe 1 37->53         started        55 cmd.exe 1 37->55         started        57 cmd.exe 1 37->57         started        110 185.203.240.16, 1249, 49736 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 39->110 file12 signatures13 process14 signatures15 170 Drops executables to the windows directory (C:\Windows) and starts them 46->170 59 services64.exe 46->59         started        62 conhost.exe 46->62         started        70 3 other processes 49->70 72 2 other processes 51->72 64 services32.exe 53->64         started        66 conhost.exe 53->66         started        172 Uses schtasks.exe or at.exe to add and modify task schedules 55->172 174 Adds a directory exclusion to Windows Defender 55->174 68 powershell.exe 21 55->68         started        74 2 other processes 55->74 76 2 other processes 57->76 process16 signatures17 160 Query firmware table information (likely to detect VMs) 59->160 162 Writes to foreign memory regions 59->162 164 Allocates memory in foreign processes 59->164 168 2 other signatures 59->168 166 Creates a thread in another existing process (thread injection) 64->166 78 conhost.exe 64->78         started        process18 dnsIp19 116 github.com 140.82.121.4, 443, 49720 GITHUBUS United States 78->116 118 raw.githubusercontent.com 185.199.109.133, 443, 49721 FASTLYUS Netherlands 78->118 120 2 other IPs or domains 78->120 102 C:\Users\user\AppData\...\sihost32.exe, PE32+ 78->102 dropped 122 Adds a directory exclusion to Windows Defender 78->122 83 cmd.exe 78->83         started        file20 signatures21 process22 signatures23 138 Adds a directory exclusion to Windows Defender 83->138 86 conhost.exe 83->86         started        88 powershell.exe 83->88         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005/
Threat name:
ByteCode-MSIL.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 15:36:08 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669
CoinMiner
554280d027e0ca9fac59307569a6352f04371cb55b35301b0a9432069ffc82c3
CoinMiner
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
CoinMiner
83183a8d40a911690ac0064964d07bac630a508a63a43b56fb61ed405d8d8900
CoinMiner
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
CoinMiner
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
CoinMiner
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
CoinMiner
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
CoinMiner
+ 1'275 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:youtube discovery evasion infostealer miner spyware stealer themida trojan
Link:
https://tria.ge/reports/211026-s1xsdahgh7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
185.203.240.16:1249
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/12b34f3b-f23f-4b2c-a9ca-67b81e123553/
SH256 hash:
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
MD5 hash:
6f78118b606c3c7c9bad1a9e0671cda8
SHA1 hash:
00abbc6a45d7009d8e166794289b39d0bb709ba5
Link:
https://www.unpac.me/results/12b34f3b-f23f-4b2c-a9ca-67b81e123553/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200312/

Comments