MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CoinMiner.XMRig


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
SHA3-384 hash: 904e541968d76339fd4e6055029c8e12eb4d7995a51e967467f51dd240bac76f9111790317995c46b2f7863303c39110
SHA1 hash: 43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
MD5 hash: c7f9efb09db59923b3f96fd1ef2f0873
humanhash: blue-indigo-island-crazy
File name:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Download: download sample
Signature CoinMiner.XMRig
File size:3'609'088 bytes
First seen:2022-01-14 13:07:12 UTC
Last seen:2022-01-14 14:47:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:4DIDD0PzdRnlgUpPGRShIyR5elYuHkpluPsLaDKUOVV:4De0PXnlbCyalu3uPsWDKUOVV
Threatray 938 similar samples on MalwareBazaar
TLSH T19EF53323BB50FF7EC20BA1FD7060756AF8F37469D05DAB9675684A20914EF0881B8F64
Reporter @abuse_ch
Tags:CoinMiner.XMRig exe


Twitter
@abuse_ch
CoinMiner.XMRig C2:
95.143.179.185:31334

Intelligence


File Origin
# of uploads :
2
# of downloads :
270
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 13:12:31 UTC
Tags:
trojan rat redline loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
–°reating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
BitCoin Miner RedLine Redline Clipper Si
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Redline Clipper
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553228 Sample: 982d4ea5fee5b8e551d40cb0727... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 87 Sigma detected: Xmrig 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 13 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe 2->13         started        16 services64.exe 2->16         started        process3 signatures4 143 Writes to foreign memory regions 13->143 145 Allocates memory in foreign processes 13->145 147 Injects a PE file into a foreign processes 13->147 18 AppLaunch.exe 15 8 13->18         started        149 Antivirus detection for dropped file 16->149 151 Multi AV Scanner detection for dropped file 16->151 153 Creates a thread in another existing process (thread injection) 16->153 23 conhost.exe 6 16->23         started        process5 dnsIp6 81 95.143.179.185, 31334, 49775 RHTEC-ASrh-tecIPBackboneDE Russian Federation 18->81 83 45.82.70.152, 49778, 49779, 7777 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 18->83 69 C:\Users\user\AppData\Local\Temp\sistem.exe, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32+ 18->71 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->97 99 Tries to harvest and steal browser information (history, passwords, etc) 18->99 101 Tries to steal Crypto Currency Wallets 18->101 25 Microsoft.exe 18->25         started        28 sistem.exe 18->28         started        73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 23->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 23->75 dropped 103 Injects code into the Windows Explorer (explorer.exe) 23->103 105 Writes to foreign memory regions 23->105 107 Modifies the context of a thread in another process (thread injection) 23->107 109 2 other signatures 23->109 30 sihost64.exe 23->30         started        32 explorer.exe 23->32         started        file7 signatures8 process9 dnsIp10 119 Antivirus detection for dropped file 25->119 121 Multi AV Scanner detection for dropped file 25->121 123 Writes to foreign memory regions 25->123 35 conhost.exe 4 25->35         started        125 Machine Learning detection for dropped file 28->125 127 Allocates memory in foreign processes 28->127 129 Injects a PE file into a foreign processes 28->129 38 AppLaunch.exe 2 28->38         started        131 Creates a thread in another existing process (thread injection) 30->131 40 conhost.exe 2 30->40         started        79 mine.bmpool.org 32->79 133 System process connects to network (likely due to code injection or exploit) 32->133 135 Query firmware table information (likely to detect VMs) 32->135 signatures11 process12 file13 77 C:\Users\user\AppData\...\services64.exe, PE32+ 35->77 dropped 42 cmd.exe 1 35->42         started        44 cmd.exe 1 35->44         started        process14 signatures15 47 services64.exe 42->47         started        50 conhost.exe 42->50         started        137 Uses schtasks.exe or at.exe to add and modify task schedules 44->137 52 conhost.exe 44->52         started        54 schtasks.exe 1 44->54         started        process16 signatures17 155 Writes to foreign memory regions 47->155 157 Allocates memory in foreign processes 47->157 159 Creates a thread in another existing process (thread injection) 47->159 56 conhost.exe 2 47->56         started        process18 signatures19 111 Injects code into the Windows Explorer (explorer.exe) 56->111 113 Writes to foreign memory regions 56->113 115 Modifies the context of a thread in another process (thread injection) 56->115 117 Injects a PE file into a foreign processes 56->117 59 explorer.exe 56->59         started        63 cmd.exe 1 56->63         started        process20 dnsIp21 85 mine.bmpool.org 157.90.156.89 REDIRISRedIRISAutonomousSystemES United States 59->85 139 System process connects to network (likely due to code injection or exploit) 59->139 141 Query firmware table information (likely to detect VMs) 59->141 65 taskkill.exe 1 63->65         started        67 conhost.exe 63->67         started        signatures22 process23
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2022-01-14 13:08:29 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
ff573078de15b7d34e82047608c79a236f4474af89a2aa5305ef6ac0cb9756d0
MD5 hash:
85539a180918789b11bd80a087de0c32
SHA1 hash:
1b58e1d1bfb589138128a1db32b5f33f6492af44
SH256 hash:
484b8134ae7a865a43565bbb98d295274a685c6c062497315fb7e2155d6f82bc
MD5 hash:
729c35f654783e1d7e7da7a26c332b46
SHA1 hash:
ff8d1ec240ca7f8debffd2c3d2be208156bbaf30
SH256 hash:
982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
MD5 hash:
c7f9efb09db59923b3f96fd1ef2f0873
SHA1 hash:
43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.143.179.185:31334 https://threatfox.abuse.ch/ioc/295234

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149

(this sample)

  
Delivery method
Distributed via web download

Comments