MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d
SHA3-384 hash: 6f47d4458a090cb22459328808f2b7426d9aa84236566205366585c97b85dabf8ec493e53d5053855608f1f3bca8c3d3
SHA1 hash: 25fe280044a0a9742db178d13394c395801da0c1
MD5 hash: 1c514e59f9c366a423c498769a937a50
humanhash: kilo-grey-louisiana-nuts
File name:1c514e59f9c366a423c498769a937a50.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'298'760 bytes
First seen:2022-04-08 08:52:24 UTC
Last seen:2022-04-08 10:13:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4095a0d90406c8428c5d9a9c6b05b7 (26 x CoinMiner, 4 x CoinMiner.XMRig)
ssdeep 98304:mvdMlYWiM9Vjv1QjX07vUuSrvKMGRfD2c1dMF:FaLGVdkEbUuKk2c1G
Threatray 324 similar samples on MalwareBazaar
TLSH T167E5F1EB2244365CC41AC430D433FD54B1F6511E5FAAA9BEB5E7EAD077AE825C902B03
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c514e59f9c366a423c498769a937a50.exe
Verdict:
No threats detected
Analysis date:
2022-04-08 23:05:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4309ae55-90af-46c2-978f-1bf28e237bde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261985/
Detection(s):
SecuriteInfo.com.Win32.Packed.VMProtect.ACR.20916.13369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Forced system process termination
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/624ff7f5cccdcb994729cfe2/reports/3559a131-b3d6-45d0-8741-30bbc768bcca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d6ddd02-a129-489e-95d5-e604e3265e95
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973440
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605925 Sample: 0DaEw2qhel.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 56 Sigma detected: Xmrig 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 9 other signatures 2->62 7 0DaEw2qhel.exe 1 5 2->7         started        12 RegHost.exe 1 2->12         started        process3 dnsIp4 52 185.137.234.33, 49742, 49743, 8080 SELECTELRU Russian Federation 7->52 44 C:\Users\user\AppData\...\RegModule.exe, PE32+ 7->44 dropped 46 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 7->46 dropped 48 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 7->48 dropped 50 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 7->50 dropped 64 Hijacks the control flow in another process 7->64 66 Injects code into the Windows Explorer (explorer.exe) 7->66 68 Writes to foreign memory regions 7->68 14 notepad.exe 1 7->14         started        18 explorer.exe 1 7->18         started        20 bfsvc.exe 1 7->20         started        22 conhost.exe 7->22         started        70 Allocates memory in foreign processes 12->70 72 Modifies the context of a thread in another process (thread injection) 12->72 74 Injects a PE file into a foreign processes 12->74 24 notepad.exe 1 12->24         started        26 explorer.exe 1 12->26         started        28 bfsvc.exe 1 12->28         started        30 conhost.exe 12->30         started        file5 signatures6 process7 dnsIp8 54 xmr.2miners.com 51.89.96.41 OVHFR France 14->54 76 System process connects to network (likely due to code injection or exploit) 14->76 78 Query firmware table information (likely to detect VMs) 14->78 80 Blacklisted process start detected (Windows program) 14->80 32 conhost.exe 14->32         started        34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 08:53:17 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06dbbdd3df2de3fba52f72cbac4c5d1e06f794de90a29fa7ea2f449e3a4fc37d
CoinMiner
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
CoinMiner
3e1a6299d80d53a831c2e6759ce2ac41e6d9aa6603cb2a1df7efbfb86debefa5
CoinMiner
bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f
CoinMiner
cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281
CoinMiner
fe7e378c72ec43fca46360a46a8fc8c0d5ec0f4739ce3286610774fdec47edda
CoinMiner
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/220408-ktaehagbbq/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d
MD5 hash:
1c514e59f9c366a423c498769a937a50
SHA1 hash:
25fe280044a0a9742db178d13394c395801da0c1
Link:
https://www.unpac.me/results/885e9356-9576-4a94-bd41-7e853e3f1647/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c5eddd2ece5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c5eddd2ece5d2c1585435de0ec5b9c072a5b1ceb710bae2f62eb32ec6268e01d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/261985/
  
URLhaus
https://urlhaus.abuse.ch/url/2137193/
  
Delivery method
Distributed via web download

Comments