MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20
SHA3-384 hash: 4fbe7db15023f7ead256bdd5ced7adaa906df3ea452ba1e56c36fed13c1f9587ca2ea6657327a2e34e98906e798395ff
SHA1 hash: 1fb5c5b876563affb7ee45872e286cf0ffddb965
MD5 hash: 2d82ec0905de054cd685e6a52e2d9442
humanhash: pennsylvania-angel-march-ceiling
File name:2d82ec0905de054cd685e6a52e2d9442
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'608 bytes
First seen:2021-10-14 05:07:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bfde1223391e32fec766cd1d41fa3e7 (7 x CoinMiner, 1 x BitRAT, 1 x QuasarRAT)
ssdeep 48:6e++Z+WjJaqoTiGBc798PXhMCCnyVJeYUT0KerZv8B13aLlzUR:5Z+mQqoT5qihXkyVJezCkv3aLlYR
Threatray 3 similar samples on MalwareBazaar
TLSH T1C091A4EBE728DD29C80F11397B72062167B2D3632582427BE75845F5DBC1896AD0F20D
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://cx55566.tmweb.ru/bloodteam.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 03:55:21 UTC
Tags:
loader
Link:
https://app.any.run/tasks/ed75313c-4368-408f-a3f9-c475fa62e0f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197411/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6167bb37fd35fe780c3f1b55/reports/f563f403-d753-49fc-9dd9-fd9a4c1864fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecb65718-858a-430e-9b65-95a97c461222
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870194
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502618 Sample: BowEiR9zOO Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 162 Sigma detected: Xmrig 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 Sigma detected: Powershell download and execute file 2->166 168 6 other signatures 2->168 14 BowEiR9zOO.exe 2->14         started        17 services64.exe 2->17         started        19 shrome.exe 2->19         started        21 2 other processes 2->21 process3 signatures4 216 Adds a directory exclusion to Windows Defender 14->216 23 cmd.exe 1 14->23         started        218 Multi AV Scanner detection for dropped file 17->218 220 Writes to foreign memory regions 17->220 222 Allocates memory in foreign processes 17->222 26 conhost.exe 17->26         started        224 Creates a thread in another existing process (thread injection) 19->224 29 conhost.exe 19->29         started        process5 file6 190 Suspicious powershell command line found 23->190 192 Tries to download and execute files (via powershell) 23->192 194 Adds a directory exclusion to Windows Defender 23->194 31 powershell.exe 23->31         started        33 powershell.exe 23->33         started        35 powershell.exe 24 23->35         started        44 4 other processes 23->44 126 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 26->126 dropped 196 Sample is not signed and drops a device driver 26->196 38 sihost64.exe 26->38         started        40 cmd.exe 29->40         started        42 cmd.exe 29->42         started        signatures7 process8 dnsIp9 48 gfhfg.exe 31->48         started        51 Fsdgde.exe 33->51         started        180 Powershell drops PE file 35->180 182 Writes to foreign memory regions 38->182 184 Allocates memory in foreign processes 38->184 186 Creates a thread in another existing process (thread injection) 38->186 53 conhost.exe 38->53         started        188 Adds a directory exclusion to Windows Defender 40->188 55 conhost.exe 40->55         started        57 powershell.exe 40->57         started        59 powershell.exe 40->59         started        61 conhost.exe 42->61         started        63 taskkill.exe 42->63         started        140 cx55566.tmweb.ru 92.53.96.4, 49751, 49754, 80 TIMEWEB-ASRU Russian Federation 44->140 128 C:\Users\user\AppData\Local\Temp\gfhfg.exe, PE32+ 44->128 dropped 130 C:\Users\user\AppData\Local\Temp\Fsdgde.exe, PE32+ 44->130 dropped file10 signatures11 process12 signatures13 144 Multi AV Scanner detection for dropped file 48->144 146 Writes to foreign memory regions 48->146 148 Allocates memory in foreign processes 48->148 65 conhost.exe 48->65         started        69 conhost.exe 48->69         started        150 Creates a thread in another existing process (thread injection) 51->150 71 conhost.exe 51->71         started        process14 file15 120 C:\Windows\System32\shrome.exe, PE32+ 65->120 dropped 170 Adds a directory exclusion to Windows Defender 65->170 73 cmd.exe 65->73         started        76 cmd.exe 65->76         started        78 cmd.exe 65->78         started        122 C:\Windows\System32\...\sihost64.exe, PE32+ 69->122 dropped 172 Drops executables to the windows directory (C:\Windows) and starts them 69->172 174 Writes to foreign memory regions 69->174 176 Modifies the context of a thread in another process (thread injection) 69->176 178 Injects a PE file into a foreign processes 69->178 80 cmd.exe 69->80         started        83 sihost64.exe 69->83         started        124 C:\Windows\System32\services64.exe, PE32+ 71->124 dropped 85 cmd.exe 71->85         started        87 cmd.exe 71->87         started        signatures16 process17 dnsIp18 198 Drops executables to the windows directory (C:\Windows) and starts them 73->198 89 shrome.exe 73->89         started        92 conhost.exe 73->92         started        200 Uses schtasks.exe or at.exe to add and modify task schedules 76->200 202 Adds a directory exclusion to Windows Defender 76->202 94 conhost.exe 76->94         started        96 powershell.exe 76->96         started        98 powershell.exe 76->98         started        104 2 other processes 78->104 134 107.178.104.10, 49762, 5555 IOFLOODUS United States 80->134 136 pool.supportxmr.com 80->136 138 pool-nyc.supportxmr.com 80->138 204 Query firmware table information (likely to detect VMs) 80->204 206 Multi AV Scanner detection for dropped file 83->206 100 services64.exe 85->100         started        102 conhost.exe 85->102         started        106 2 other processes 87->106 signatures19 208 Detected Stratum mining protocol 134->208 process20 signatures21 210 Writes to foreign memory regions 89->210 212 Allocates memory in foreign processes 89->212 214 Creates a thread in another existing process (thread injection) 89->214 108 conhost.exe 89->108         started        process22 dnsIp23 142 192.168.2.1 unknown unknown 108->142 132 C:\Windows\System32\...\sihost32.exe, PE32+ 108->132 dropped 226 Drops executables to the windows directory (C:\Windows) and starts them 108->226 228 Adds a directory exclusion to Windows Defender 108->228 113 sihost32.exe 108->113         started        116 cmd.exe 108->116         started        file24 signatures25 process26 signatures27 152 Multi AV Scanner detection for dropped file 113->152 154 Writes to foreign memory regions 113->154 156 Allocates memory in foreign processes 113->156 158 Creates a thread in another existing process (thread injection) 113->158 160 Adds a directory exclusion to Windows Defender 116->160 118 conhost.exe 116->118         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 03:04:40 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ql2yljc7a3gwyncnhp4p4yebub2kyohygak5sz22fxcoenr7lqqa._file
Verdict:
malicious
Similar samples:
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
7cad51a346a2c1441d4f87e9c4f848a61ba22506926fdeff1c0d315dfca515be
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211014-fskfvsgcb9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Malware Config
Dropper Extraction:
http://cx55566.tmweb.ru/farm_money.exe
http://cx55566.tmweb.ru/monero-bandit.exe
Unpacked files
SH256 hash:
82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20
MD5 hash:
2d82ec0905de054cd685e6a52e2d9442
SHA1 hash:
1fb5c5b876563affb7ee45872e286cf0ffddb965
Link:
https://www.unpac.me/results/8004ec9c-bf15-4e06-8d03-3533b718828e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/82f585a45f06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 82f585a45f06cd6c344d3bf8fe6081a074ac38f83015d9675a2dc4e2363f5c20

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1676344/
Cape
Cape
https://www.capesandbox.com/analysis/197411/

Comments


Avatar
zbet commented on 2021-10-14 05:07:42 UTC

url : hxxp://cx55566.tmweb.ru/bloodteam.exe