MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
SHA3-384 hash: 904e541968d76339fd4e6055029c8e12eb4d7995a51e967467f51dd240bac76f9111790317995c46b2f7863303c39110
SHA1 hash: 43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
MD5 hash: c7f9efb09db59923b3f96fd1ef2f0873
humanhash: blue-indigo-island-crazy
File name:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:3'609'088 bytes
First seen:2022-01-14 13:07:12 UTC
Last seen:2022-01-14 14:47:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:4DIDD0PzdRnlgUpPGRShIyR5elYuHkpluPsLaDKUOVV:4De0PXnlbCyalu3uPsWDKUOVV
Threatray 938 similar samples on MalwareBazaar
TLSH T19EF53323BB50FF7EC20BA1FD7060756AF8F37469D05DAB9675684A20914EF0881B8F64
Reporter @abuse_ch
Tags:CoinMiner.XMRig exe


Twitter
@abuse_ch
CoinMiner.XMRig C2:
95.143.179.185:31334

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 13:12:31 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/a6ddaeae-c91d-467b-9894-c52faaf23d96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219315/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61e175baf2e8ec86fefce52b/reports/5dc4cb35-c998-4fa6-bb38-56f165d0a3f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1befbf9a-c32b-47c5-af8f-22a2c6ea5af5
Result
Threat name:
BitCoin Miner RedLine Redline Clipper Si
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920750
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Redline Clipper
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553228 Sample: 982d4ea5fee5b8e551d40cb0727... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 87 Sigma detected: Xmrig 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 13 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe 2->13         started        16 services64.exe 2->16         started        process3 signatures4 143 Writes to foreign memory regions 13->143 145 Allocates memory in foreign processes 13->145 147 Injects a PE file into a foreign processes 13->147 18 AppLaunch.exe 15 8 13->18         started        149 Antivirus detection for dropped file 16->149 151 Multi AV Scanner detection for dropped file 16->151 153 Creates a thread in another existing process (thread injection) 16->153 23 conhost.exe 6 16->23         started        process5 dnsIp6 81 95.143.179.185, 31334, 49775 RHTEC-ASrh-tecIPBackboneDE Russian Federation 18->81 83 45.82.70.152, 49778, 49779, 7777 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 18->83 69 C:\Users\user\AppData\Local\Temp\sistem.exe, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32+ 18->71 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->97 99 Tries to harvest and steal browser information (history, passwords, etc) 18->99 101 Tries to steal Crypto Currency Wallets 18->101 25 Microsoft.exe 18->25         started        28 sistem.exe 18->28         started        73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 23->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 23->75 dropped 103 Injects code into the Windows Explorer (explorer.exe) 23->103 105 Writes to foreign memory regions 23->105 107 Modifies the context of a thread in another process (thread injection) 23->107 109 2 other signatures 23->109 30 sihost64.exe 23->30         started        32 explorer.exe 23->32         started        file7 signatures8 process9 dnsIp10 119 Antivirus detection for dropped file 25->119 121 Multi AV Scanner detection for dropped file 25->121 123 Writes to foreign memory regions 25->123 35 conhost.exe 4 25->35         started        125 Machine Learning detection for dropped file 28->125 127 Allocates memory in foreign processes 28->127 129 Injects a PE file into a foreign processes 28->129 38 AppLaunch.exe 2 28->38         started        131 Creates a thread in another existing process (thread injection) 30->131 40 conhost.exe 2 30->40         started        79 mine.bmpool.org 32->79 133 System process connects to network (likely due to code injection or exploit) 32->133 135 Query firmware table information (likely to detect VMs) 32->135 signatures11 process12 file13 77 C:\Users\user\AppData\...\services64.exe, PE32+ 35->77 dropped 42 cmd.exe 1 35->42         started        44 cmd.exe 1 35->44         started        process14 signatures15 47 services64.exe 42->47         started        50 conhost.exe 42->50         started        137 Uses schtasks.exe or at.exe to add and modify task schedules 44->137 52 conhost.exe 44->52         started        54 schtasks.exe 1 44->54         started        process16 signatures17 155 Writes to foreign memory regions 47->155 157 Allocates memory in foreign processes 47->157 159 Creates a thread in another existing process (thread injection) 47->159 56 conhost.exe 2 47->56         started        process18 signatures19 111 Injects code into the Windows Explorer (explorer.exe) 56->111 113 Writes to foreign memory regions 56->113 115 Modifies the context of a thread in another process (thread injection) 56->115 117 Injects a PE file into a foreign processes 56->117 59 explorer.exe 56->59         started        63 cmd.exe 1 56->63         started        process20 dnsIp21 85 mine.bmpool.org 157.90.156.89 REDIRISRedIRISAutonomousSystemES United States 59->85 139 System process connects to network (likely due to code injection or exploit) 59->139 141 Query firmware table information (likely to detect VMs) 59->141 65 taskkill.exe 1 63->65         started        67 conhost.exe 63->67         started        signatures22 process23
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-14 13:08:29 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/tawu5jp64w4okuoubsyhe4xbxt3qp3p7caa52si2yykp33y7ufeq._file
Verdict:
malicious
Similar samples:
0c026f6f5c3577b153ad00b629075001de41ad9d26de2723aacbf3a87c8bc0ef
CoinMiner.XMRig
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
CoinMiner.XMRig
422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535
CoinMiner.XMRig
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
CoinMiner.XMRig
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
CoinMiner.XMRig
a771e073fa4ba6ef336ab59ae52114c034d5725a7731dfb1593a764688f7dc16
CoinMiner.XMRig
a9eb984c9de2d2d061babaaec8c15a04895af2cc0653d044f7092ba73013da5b
CoinMiner.XMRig
f7e9394deb6140ccb3df12a53e94e8b2d28da6f7c9d0143736e3067e5aa88765
CoinMiner.XMRig
+ 928 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220114-qc9e6agcf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
ff573078de15b7d34e82047608c79a236f4474af89a2aa5305ef6ac0cb9756d0
MD5 hash:
85539a180918789b11bd80a087de0c32
SHA1 hash:
1b58e1d1bfb589138128a1db32b5f33f6492af44
Link:
https://www.unpac.me/results/202ac157-1ab1-48a0-a8b3-b34e9830b61b/
SH256 hash:
484b8134ae7a865a43565bbb98d295274a685c6c062497315fb7e2155d6f82bc
MD5 hash:
729c35f654783e1d7e7da7a26c332b46
SHA1 hash:
ff8d1ec240ca7f8debffd2c3d2be208156bbaf30
Link:
https://www.unpac.me/results/202ac157-1ab1-48a0-a8b3-b34e9830b61b/
SH256 hash:
982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
MD5 hash:
c7f9efb09db59923b3f96fd1ef2f0873
SHA1 hash:
43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
Link:
https://www.unpac.me/results/202ac157-1ab1-48a0-a8b3-b34e9830b61b/
AV coverage:
34.85%
AV detections:
23 / 66
Link:
https://www.virustotal.com/gui/file/982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149/detection/f-982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149-1642163777
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.143.179.185:31334 https://threatfox.abuse.ch/ioc/295234

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/219315/
  
URLhaus
https://urlhaus.abuse.ch/url/1976668/
  
Delivery method
Distributed via web download

Comments