MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
SHA3-384 hash: fad7d2c41f523c0736c06e13918f75fc62365a38f1e5df52db6cb4e4c2e42504753aad510732403bdc17f6e8ba866f09
SHA1 hash: ba01612a8df2e4d8f2859089fba64c00c3eaf43c
MD5 hash: 1e5b2635145a5aff691b63b8ad16a4df
humanhash: fix-monkey-three-maryland
File name:file.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'754'432 bytes
First seen:2023-06-13 00:06:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:Kok7uaLci46qFDcaTF88bIULQaEe5vQe5:YdLci46qFYG2uEzqJ
Threatray 2'798 similar samples on MalwareBazaar
TLSH T10426EFA4F17CAB22E34945F44D16DBFED97F323BB70A4A0029981A891DDE9C29C113D7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://cobaktesbrow.com/download/File_pass1234.7z
Verdict:
Malicious activity
Analysis date:
2023-06-11 20:59:03 UTC
Tags:
privateloader opendir evasion loader rat redline amadey trojan stealer miner smoke tofsee gcleaner vidar ransomware stop
Link:
https://app.any.run/tasks/236aed95-02c2-4690-89d0-6aa2bd9438bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398112/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.6978.23333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP POST request
Adding an access-denied ACE
Running batch commands
Query of malicious DNS domain
Launching a tool to kill processes
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6487b3279f45f940f553aa35/reports/06870933-4c39-4989-a9ca-5e5261048352/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f33ff515-b8d1-43b8-87eb-17d0045c1f61
Result
Threat name:
Amadey, Fabookie, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253300
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 886320 Sample: file.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 88 as.imgjeoigaa.com 2->88 100 Snort IDS alert for network traffic 2->100 102 Multi AV Scanner detection for domain / URL 2->102 104 Found malware configuration 2->104 106 16 other signatures 2->106 10 file.exe 5 2->10         started        13 updater.exe 2->13         started        16 cmd.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 file5 76 C:\Users\user\AppData\Local\...\oldplayer.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 10->78 dropped 80 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 10->80 dropped 82 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->82 dropped 20 oldplayer.exe 3 10->20         started        24 aafg31.exe 14 10->24         started        27 XandETC.exe 3 10->27         started        84 C:\Windows\Temp\aadgyxmr.tmp, PE32+ 13->84 dropped 86 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 13->86 dropped 134 Writes to foreign memory regions 13->134 136 Modifies the context of a thread in another process (thread injection) 13->136 138 Adds a directory exclusion to Windows Defender 13->138 148 2 other signatures 13->148 29 powershell.exe 13->29         started        140 Uses cmd line tools excessively to alter registry or file data 16->140 142 Uses powercfg.exe to modify the power settings 16->142 144 Modifies power options to not sleep / hibernate 16->144 31 conhost.exe 16->31         started        37 10 other processes 16->37 146 Creates files in the system32 config directory 18->146 33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        39 20 other processes 18->39 signatures6 process7 dnsIp8 70 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 20->70 dropped 108 Antivirus detection for dropped file 20->108 110 Multi AV Scanner detection for dropped file 20->110 112 Machine Learning detection for dropped file 20->112 114 Contains functionality to inject code into remote processes 20->114 41 oneetx.exe 13 20->41         started        90 us.imgjeoigaa.com 154.221.19.146, 49694, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 24->90 92 as.imgjeoigaa.com 39.109.117.57, 49717, 49734, 49748 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 24->92 94 192.168.2.1 unknown unknown 24->94 72 C:\Users\...\20055d7804b34894255a58932a2d3dd1, SQLite 24->72 dropped 116 Contains functionality to steal Chrome passwords or cookies 24->116 118 Tries to harvest and steal browser information (history, passwords, etc) 24->118 45 taskkill.exe 1 24->45         started        47 taskkill.exe 24->47         started        74 C:\Program Files74otepad\Chrome\updater.exe, PE32+ 27->74 dropped 120 Adds a directory exclusion to Windows Defender 27->120 122 Creates files in the system32 config directory 29->122 49 conhost.exe 29->49         started        file9 signatures10 process11 dnsIp12 96 5.42.65.80, 49695, 49696, 49697 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->96 98 as.imgjeoigaa.com 41->98 124 Antivirus detection for dropped file 41->124 126 Multi AV Scanner detection for dropped file 41->126 128 Creates an undocumented autostart registry key 41->128 130 2 other signatures 41->130 51 schtasks.exe 1 41->51         started        53 cmd.exe 1 41->53         started        55 conhost.exe 45->55         started        57 conhost.exe 47->57         started        signatures13 process14 process15 59 conhost.exe 51->59         started        62 conhost.exe 53->62         started        64 cmd.exe 1 53->64         started        66 cacls.exe 1 53->66         started        68 4 other processes 53->68 signatures16 132 Modifies power options to not sleep / hibernate 59->132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-06-11 18:56:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxwvvy3j3ioxpbhfouhf3ih7rgfuhc3zu6dvlegk3c65nlz6th2a._file
Verdict:
malicious
Similar samples:
1a8a82f87a9a7cd4b981fc23f41f5a914d630b6e51f7a535637b87b4334343d9
CoinMiner
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
CoinMiner
42430d77c311efbc21ad412f38190ff282b7a65c24801fab3e88f25e1f952b90
CoinMiner
79b320749ba393a5745d16d4e4df8eb77224b25e8eb31e062879da32e2b89043
CoinMiner
7ed6f14261acedfbd1154ad17cd277422c532ac159beeb35ee333a14931cd146
CoinMiner
924e4366663ac392020fe02f84c1f016c5eb5238b86965d1f72cc906bebb51c7
CoinMiner
e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
CoinMiner
e4426e6bd3ce651cf1a9fb187e5da1c8ec7037bf5b999e0f02762511ce299437
CoinMiner
ea09c280645956baff7e4cdc2bfa9753104b9025ec81d6853fca43f8c2fcb732
CoinMiner
f50a1f6a4a18f16169d39eae603f6300def0c4c8a8f6ad8807686f243e836314
CoinMiner
+ 2'788 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:gcleaner family:glupteba family:smokeloader family:xmrig botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230613-aebc5sec26/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Detects videocard installed
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
GCleaner
Glupteba
Glupteba payload
Modifies security service
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
5.42.65.80/8bmeVwqx/index.php
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
MD5 hash:
1e5b2635145a5aff691b63b8ad16a4df
SHA1 hash:
ba01612a8df2e4d8f2859089fba64c00c3eaf43c
Link:
https://www.unpac.me/results/81f629af-fae3-49a2-a3e0-66bc8b342f68/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5ed5ae369da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2647221/
Cape
Cape
https://www.capesandbox.com/analysis/398112/

Comments