MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8993c0df9741aa16331c58d43805be9028cbef94db7cde0886c2e3ea8904eff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8993c0df9741aa16331c58d43805be9028cbef94db7cde0886c2e3ea8904eff6
SHA3-384 hash: 31cb338b3140fc97658bfef5e22ed81dc923b6d14f25dba02747de739319ea0b4c1981a9f30cd1e82a20bbb7463daf4b
SHA1 hash: 72f258a31de93084363bb425bf52fc1965cb159e
MD5 hash: 0ba02b484fb24531e51c0c532836bb16
humanhash: kansas-pizza-utah-tango
File name:FREAKHIVE MANUAL.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'347'264 bytes
First seen:2020-11-12 08:07:55 UTC
Last seen:2024-07-24 18:34:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:WGF5FjkZkpcw3n9aDk5oNyCBoRJxfFTGVgEl9J3WxDlx/aL2Gz1kU2ZmXxKJ0:WGBsZknR5ooYgxNTGVgs3WF6eUzk
Threatray 21 similar samples on MalwareBazaar
TLSH 435633F073FA5E52EAD7603CDC6A01802BB5F1AA362690AC710D41E919F7BD7CE0615B
Reporter JoulK
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-9786346-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Creating a file
Adding an access-denied ACE
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Possible injection to a system process
Connection attempt to an infection source
Setting a single autorun event
Result
Gathering data
Result
Threat name:
Crypto Miner Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/532129
Signature
Allocates many large memory junks
Benign windows process drops PE files
Detected unpacking (creates a PE file in dynamic memory)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Yara detected Crypto Miner
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 315165 Sample: FREAKHIVE MANUAL.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 48 u868328.nvpn.to 2->48 58 Sigma detected: Xmrig 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 6 other signatures 2->64 9 FREAKHIVE MANUAL.exe 3 2->9         started        13 Avast.exe 2->13         started        15 explorer.exe 2 2->15         started        signatures3 process4 file5 40 C:\Users\user\...\FREAKHIVE MANUAL.exe.log, ASCII 9->40 dropped 66 Allocates many large memory junks 9->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->68 17 FREAKHIVE MANUAL.exe 3 7 9->17         started        21 WerFault.exe 20 9 9->21         started        23 FREAKHIVE MANUAL.exe 9->23         started        70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 25 wscript.exe 15->25         started        signatures6 process7 dnsIp8 44 u868328.nvpn.to 79.134.225.104, 49719, 49720, 49721 FINK-TELECOM-SERVICESCH Switzerland 17->44 46 192.168.2.1 unknown unknown 17->46 54 Injects a PE file into a foreign processes 17->54 28 wscript.exe 17->28         started        31 FREAKHIVE MANUAL.exe 17->31         started        34 FREAKHIVE MANUAL.exe 17->34         started        36 9 other processes 17->36 42 C:\Users\user\AppData\Roaming\Avast.exe, PE32 25->42 dropped 56 Benign windows process drops PE files 25->56 file9 signatures10 process11 dnsIp12 74 Writes or reads registry keys via WMI 28->74 50 litecoinpool.org 149.210.234.234, 3333, 49753, 49768 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 31->50 38 conhost.exe 31->38         started        52 127.0.0.1 unknown unknown 34->52 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8993c0df9741aa16331c58d43805be9028cbef94db7cde0886c2e3ea8904eff6/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 08:08:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgj4bx4xigvbmmy4ldkdqbn6saumx34u3n6n4cegylr6vcie573a._file
Verdict:
suspicious
Similar samples:
48731a407c161307c2725f94644a1ac4f1fe9ee7b08e83d13eadb629aa434052
CoinMiner
53bb35cd1c6826740163ec12734198379bbaf8a493aa47f4cc13abdb016295a3
CoinMiner
57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af
CoinMiner
596b8f738a91b94ef3993e14dde4064f7062dda49fc12926601b20637e1cbc6e
CoinMiner
75f5c64ae4b1a79ee9b6e1eb8f6d7e739aae409f7ab346fe6e3fa7dcc7e69789
CoinMiner
b42ec1f115f63b5407c15e952f58bf9529e169c7e41ebef4305956cad76c78ea
CoinMiner
c898674319f4b52046ad9c08f72ea819777681ed98db54030f43d812b9690c59
CoinMiner
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
CoinMiner
ef91cdf4d2ae2a3dd427b89bf9a2e057ec1f6308aba537b7d808e999bb9815f8
CoinMiner
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
CoinMiner
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201112-jb113dbs6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
8993c0df9741aa16331c58d43805be9028cbef94db7cde0886c2e3ea8904eff6
MD5 hash:
0ba02b484fb24531e51c0c532836bb16
SHA1 hash:
72f258a31de93084363bb425bf52fc1965cb159e
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
fae6fae305b582c0de1364c63032bf3fd331822e46100ddb167ab7d4e8ca985a
MD5 hash:
ba4cdcb7f9bc4cffb85305623a6e775c
SHA1 hash:
1fec705b4b4528fe8bcef4c6b447f8122e6e2040
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
2772d84a4523477d7bb03de4640aacb153d663db971a8626a3c059196b5c251d
MD5 hash:
751c57862d1f72f46900bb912b922ce1
SHA1 hash:
5258da4127be859c80497e1c2310ab823b17659e
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
7f264709ff8e9b06df485d3f9d2faaa26c5595ee813a78ae30c7cc759dedc282
MD5 hash:
8e4ec2693add65c0dc04916f0b1064e1
SHA1 hash:
7517d020411ff6776347c091736ccd1b90d24eef
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
f23619c33207b5b7071e2e73b925e35677274b2ef326e482ebf3d06a329c0397
MD5 hash:
9ea39b3d46628a967503aa5769859482
SHA1 hash:
05552b9bacbf7ac30eda21d4bf19b874f74bf934
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
fd340e07c53538d35af529f3514460dffa18962c4c2b2b1697955935e677bd41
MD5 hash:
a63ac54d0c8f3ebf0d0ce1756a46d141
SHA1 hash:
1ef230bd5ef73cc5ea0df4eced9dfe30caff355b
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
5c27f7853d6e39dbceb7b5e61c8fb3b82a1e40f8ff41f963c64134e8365ed0e1
MD5 hash:
684994a01fc6b896a70be5e0ffacced7
SHA1 hash:
212eeb6633ee1b6746a9c8603f45f29448455dca
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
6daca9abcdaba19888866103d9a6ac97540f1ac7b2dbc7792b6c6ba1f00cbe83
MD5 hash:
c1717516f53d0408a6e418551c4580f0
SHA1 hash:
31da642ba37bba48d7c6a2f54c2cd307f752711e
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
25f4a7f523e73508be738762f28f3028a30b74cfbdf8427d6847e1cc3ed180b1
MD5 hash:
1ea0705b84107bd76e2c6762b0fb3528
SHA1 hash:
32f2e89dcdee3d0821fd278f9bfd1db304fd4fd3
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
f8d0c6ddd6abf7564e834d17468cace8fa9119164ee8cd08e974955a759f7b22
MD5 hash:
4b1508362a27788af34858e7d23f6201
SHA1 hash:
34310a9a7c4e2c776b40aa6045fb515d8781fe39
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
2cff6c786f37a7e8390c0bd6634fdbac3166309967d4135e870a45f3e17a830a
MD5 hash:
3b9e7c5b5ba7d5d6b33c88d832d3563a
SHA1 hash:
42fddfa4dec4213a56bdd250c8019c4df78b27ad
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
a74a43522715ce32e6c67716481ea93d5a25293fe5214c921d2d57d2f19160a4
MD5 hash:
92987e85a03603771159ffac624fc1dd
SHA1 hash:
48a6ec759b1d47d664a5412bcdae6aa781d291d2
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
26aa9055f767068bcfbf7b49fd838e102b2a517cd2845e939ff313c102749608
MD5 hash:
749a3b0f03bdbefb519980a0b48ba468
SHA1 hash:
5392f9f963440db867f627b235b6da92bf6c3087
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
c6f75c1e8869f87d0b311b97d58678bd8dc05b8d9f8dbd789ed48fa0275358eb
MD5 hash:
22512ca210b87737dfd71e30ed58f252
SHA1 hash:
948f6ae049c3d45383f17a53d6a1c804ae622e35
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
e058cd2cbdaaad24b712694a9f6c1e884aa4b1c20bac27e9599ba1e8d3999d7e
MD5 hash:
bd573ca0f588ab482eddb3496f73821f
SHA1 hash:
bc111be79facecec8f8f5fcfa6b04af91cff643e
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
d88eef595b4d7a73fdf532ed0ce3fc06b6abc334b5f9a53848cffa5237dc56b8
MD5 hash:
baa1afa4189bd1297f16631eaf636b11
SHA1 hash:
caee2226707f658340383b6a3e510579f8978649
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
62f8473d59b674c98f14c393aa437e163f0d90792dfcb2f35102297acd1c1c88
MD5 hash:
9b48ea52131fdba61abc945e64f55478
SHA1 hash:
cef0ca1d564149eb60cc17e4699bd4b2c8a98cbb
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
21f6658fd4c9a0c57217685c1cf5feb8f884c7d066c61347755b8b8c949e739a
MD5 hash:
16aa80722ef8a6497aad28e50b731b88
SHA1 hash:
d54d83ef884ed47c58fbaa7e5f4f6f46a9de21e3
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
9d930366a3026a1c78c528e181e33131d26b963392cfd3d997ed436aac623350
MD5 hash:
ca3cfbab22a69f68f53555cb2ce92d34
SHA1 hash:
e03b2d3856edad815c93bc748a1b853b9bd619b8
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
6e04f82a4fa4e4b873d3efe06b745951e0c120e5d64848c7c0813f5c239b1f39
MD5 hash:
1c8b81701f1f4bbdf26740f6caf894d4
SHA1 hash:
f6aae3c90b50a4d4a69d31c2b5bf5639a7eb325b
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
12822103d479fbf3e2c98d229e03a279899948bcfc7105cc01a36aee0d184f13
MD5 hash:
051d45c4334738b3a2aaca6727e5fe90
SHA1 hash:
37d97de91038c463451ac7d5a0e9feb96c7a4652
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
14b712cc51392579df63d39d585ebc292646ecbeffc34ffb8a85a2282673c53b
MD5 hash:
d469124c337a77b1480df83d916d4354
SHA1 hash:
4d788877e29b9eb9f4fe5d1444f79ce987effec3
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
a75f37fd7889f2000254b290a4be4d095345e9edbac43bf30f61a7667ec61954
MD5 hash:
3c24dbc80c1ccb9caa1a907bc760f346
SHA1 hash:
5989a2f1dd096441bcecf2ec6e0adecb77303a87
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
SH256 hash:
380caf78df2922ee3a87c89d28daae112e88128173b05ac02a57980d6cbde94c
MD5 hash:
ce637423d5e65d9d2d644f91497607a3
SHA1 hash:
d4f4eec0b9468decce18bcb907dc25e22625b6da
Link:
https://www.unpac.me/results/2068e088-9878-462f-b67c-8f9f0f1b0f31/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BTC_Miner_lsass1_chrome_2
Create hunting rule
Author:Florian Roth
Description:Detects a Bitcoin Miner
Reference:Internal Research - CN Actor
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 8993c0df9741aa16331c58d43805be9028cbef94db7cde0886c2e3ea8904eff6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/810641/

Comments