MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
SHA3-384 hash: 57a1ff41acf8e8b492b58b01c1ce54d6f79c3c8f353f62037a25d9d3922e140fbcb42128b61dccd18ec482a704845eba
SHA1 hash: e96dbc3d99250ec26f0aaefae9a3c443d0a97a6c
MD5 hash: 21d5f340522c1fdc8baee03225585feb
humanhash: jupiter-robin-fanta-burger
File name:21d5f340522c1fdc8baee03225585feb.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:563'712 bytes
First seen:2022-03-21 19:28:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:rL+uELtejAtGBY2Emf5QS03ULaHNqrxlKIQNoOE8zOmO+Z2I:rLaUjQQYexkEaHNYK3XE8TOPI
Threatray 1'787 similar samples on MalwareBazaar
TLSH T1A3C42397A3D9F4DCC3CB41B443233D1E0E0EEA590550FD8FBDAADE6506A40B9265B0B9
Reporter abuse_ch
Tags:CoinMiner.XMRig exe


Avatar
abuse_ch
CoinMiner.XMRig C2:
104.244.76.137:4487

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.244.76.137:4487 https://threatfox.abuse.ch/ioc/435228/

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253808/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Pwsx-9940708-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6238d20c0cd58dbd92d0d758/reports/83860ea0-6c43-466d-8d2d-221e8cfb6e68/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16738ef0-eb00-4369-b879-665f8e7b73d8
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961140
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Notepad Making Network Connection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Shellcode strings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 593617 Sample: n927WsfJl7.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 73 xmr-eu1.nanopool.org 2->73 75 easyproducts.org 2->75 109 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Found malware configuration 2->113 115 15 other signatures 2->115 10 n927WsfJl7.exe 1 2->10         started        13 RegHost.exe 1 2->13         started        signatures3 process4 signatures5 117 Writes to foreign memory regions 10->117 119 Allocates memory in foreign processes 10->119 121 Injects a PE file into a foreign processes 10->121 15 AppLaunch.exe 15 8 10->15         started        20 conhost.exe 10->20         started        123 Multi AV Scanner detection for dropped file 13->123 125 Hijacks the control flow in another process 13->125 127 Injects code into the Windows Explorer (explorer.exe) 13->127 129 Modifies the context of a thread in another process (thread injection) 13->129 22 notepad.exe 1 13->22         started        24 explorer.exe 1 13->24         started        26 bfsvc.exe 1 13->26         started        28 conhost.exe 13->28         started        process6 dnsIp7 85 104.244.76.137, 4487, 49777 PONYNETUS United States 15->85 87 cdn.discordapp.com 162.159.135.233, 443, 49789, 49790 CLOUDFLARENETUS United States 15->87 61 C:\Users\user\AppData\Local\Temp\clii.exe, PE32 15->61 dropped 63 C:\Users\user\AppData\Local\Temp\bbb.exe, PE32+ 15->63 dropped 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->101 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->103 105 Tries to harvest and steal browser information (history, passwords, etc) 15->105 107 Tries to steal Crypto Currency Wallets 15->107 30 bbb.exe 1 5 15->30         started        35 clii.exe 12 15->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        file8 signatures9 process10 dnsIp11 81 185.137.234.33, 49792, 49793, 8080 SELECTELRU Russian Federation 30->81 65 C:\Users\user\AppData\...\RegModule.exe, PE32+ 30->65 dropped 67 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 30->67 dropped 69 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 30->69 dropped 71 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 30->71 dropped 89 Multi AV Scanner detection for dropped file 30->89 91 Hijacks the control flow in another process 30->91 93 Injects code into the Windows Explorer (explorer.exe) 30->93 95 Modifies the context of a thread in another process (thread injection) 30->95 43 notepad.exe 1 30->43         started        47 explorer.exe 1 30->47         started        49 bfsvc.exe 1 30->49         started        51 conhost.exe 30->51         started        83 188.120.232.237, 80 THEFIRST-ASRU Russian Federation 35->83 97 Antivirus detection for dropped file 35->97 99 Machine Learning detection for dropped file 35->99 file12 signatures13 process14 dnsIp15 77 51.68.137.66 OVHFR France 43->77 79 xmr-eu1.nanopool.org 43->79 131 System process connects to network (likely due to code injection or exploit) 43->131 133 Query firmware table information (likely to detect VMs) 43->133 135 Blacklisted process start detected (Windows program) 43->135 53 conhost.exe 43->53         started        55 conhost.exe 47->55         started        57 curl.exe 47->57         started        59 conhost.exe 49->59         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 21:13:49 UTC
File Type:
PE (Exe)
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yr6bavcxm6esxkh5vin2narjkjiqc2jygggya77ea43olludemra._file
Verdict:
malicious
Similar samples:
11e0356d05bfe20ce7b6cac8cde325be4b32acbacfa391429322de065e9ab6ed
CoinMiner.XMRig
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner.XMRig
246beeae8f95d67c62e15fb2a16b270f75fe2beb83a6d680aa4c81dc89aed8a1
CoinMiner.XMRig
481f30b474cea03974a6845779cdbdbd01130c322e8c5b813f4508632ba20a06
CoinMiner.XMRig
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
CoinMiner.XMRig
641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee
CoinMiner.XMRig
6b737843eebb48068a3ef0bce32560eb1bb8b1db1ed2cd7018c8742b099ace17
CoinMiner.XMRig
7bd0fb482a6bce2de2ce3ce0297724b4ab110f082e94b0f64e32d03b308020e9
CoinMiner.XMRig
80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de
CoinMiner.XMRig
+ 1'777 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220321-x6924shhfn/
Behaviour
Program crash
Unpacked files
SH256 hash:
22f961a30ae00bc804d05ae9e74bb2107b0b3dd3d7ddd944dea84dbd5f0d2180
MD5 hash:
5e70ae5283fbf4bdefb36175afea0cfc
SHA1 hash:
fe1db15d356b620e8d7d9300e16374db4a8ce80e
Link:
https://www.unpac.me/results/d86f7f24-7a3b-4abc-9348-df2fd0e02d32/
SH256 hash:
8e872dc0c5b06c01182f2e7b3cb151cd50804194b48ac3bbde2f27b013cd2432
MD5 hash:
31dc542526826d5be324b84c9e7e7e19
SHA1 hash:
a46560a7d3f89f3a66a3e908e6d26660a28513b1
Link:
https://www.unpac.me/results/d86f7f24-7a3b-4abc-9348-df2fd0e02d32/
SH256 hash:
c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
MD5 hash:
21d5f340522c1fdc8baee03225585feb
SHA1 hash:
e96dbc3d99250ec26f0aaefae9a3c443d0a97a6c
Link:
https://www.unpac.me/results/d86f7f24-7a3b-4abc-9348-df2fd0e02d32/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c47c10545767/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253808/

Comments