MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
SHA3-384 hash: b5812a8764394668c58af6f9543831afdc5c4c7fbecad512c36239110c4ce8c3e071687b4929295c514c335cf46dd551
SHA1 hash: dbb9755c29becc56d8528ab352b1bca937274d44
MD5 hash: e5bb00c6296d8591fd055f8c8313a821
humanhash: music-mike-freddie-leopard
File name:e5bb00c6296d8591fd055f8c8313a821.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:164'864 bytes
First seen:2021-08-18 17:57:43 UTC
Last seen:2021-08-18 19:10:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 3072:JFdmoWbASnvNScCFyH13MiflomyOPDyJ:xmlFS8Hp1t
Threatray 144 similar samples on MalwareBazaar
TLSH T1D4F3065D773C8023BBB785AA0C99B931413E151E2A23F7A971D749CD2CFA3C2A14275B
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e5bb00c6296d8591fd055f8c8313a821.exe
Verdict:
Malicious activity
Analysis date:
2021-08-18 18:03:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dcf6ef3-8792-4705-b7e8-bd52bbed58d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180418/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.16665.642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f77295e1-6453-469b-b3a1-5ef7eccb606c
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835283
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467711 Sample: HNEhMTzIxu.exe Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 102 Sigma detected: Xmrig 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Yara detected Xmrig cryptocurrency miner 2->106 108 6 other signatures 2->108 9 HNEhMTzIxu.exe 4 2->9         started        12 services64.exe 3 2->12         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 68 C:\Users\user\AppData\Local\Temp\JoSetp.exe, PE32 9->68 dropped 70 C:\Users\user\AppData\Local\...\Chrome4.exe, PE32+ 9->70 dropped 72 C:\Users\user\AppData\...\HNEhMTzIxu.exe.log, ASCII 9->72 dropped 20 Chrome4.exe 5 9->20         started        24 JoSetp.exe 15 3 9->24         started        90 sanctam.net 12->90 92 bitbucket.org 12->92 134 Multi AV Scanner detection for dropped file 12->134 136 Machine Learning detection for dropped file 12->136 138 Injects code into the Windows Explorer (explorer.exe) 12->138 142 4 other signatures 12->142 27 explorer.exe 12->27         started        29 cmd.exe 12->29         started        140 Changes security center settings (notifications, updates, antivirus, firewall) 16->140 31 MpCmdRun.exe 16->31         started        94 127.0.0.1 unknown unknown 18->94 file5 signatures6 process7 dnsIp8 66 C:\Users\user\AppData\...\services64.exe, PE32+ 20->66 dropped 120 Multi AV Scanner detection for dropped file 20->120 122 Machine Learning detection for dropped file 20->122 33 services64.exe 14 8 20->33         started        38 cmd.exe 1 20->38         started        78 whileacademy.xyz 24->78 80 iplogger.org 88.99.66.31, 443, 49703, 49704 HETZNER-ASDE Germany 24->80 82 192.168.2.1 unknown unknown 24->82 124 Detected unpacking (changes PE section rights) 24->124 126 May check the online IP address of the machine 24->126 128 Performs DNS queries to domains with low reputation 24->128 84 51.15.58.224, 14433, 49719 OnlineSASFR France 27->84 86 51.15.67.17, 14433, 49717 OnlineSASFR France 27->86 88 3 other IPs or domains 27->88 130 System process connects to network (likely due to code injection or exploit) 27->130 132 Query firmware table information (likely to detect VMs) 27->132 40 conhost.exe 29->40         started        42 schtasks.exe 29->42         started        44 conhost.exe 31->44         started        file9 signatures10 process11 dnsIp12 74 sanctam.net 185.65.135.248, 49706, 49709, 58899 ESAB-ASSE Sweden 33->74 76 bitbucket.org 104.192.141.1, 443, 49707, 49710 AMAZON-02US United States 33->76 62 C:\Users\user\AppData\...\sihost64.exe, PE32+ 33->62 dropped 64 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 33->64 dropped 110 Injects code into the Windows Explorer (explorer.exe) 33->110 112 Writes to foreign memory regions 33->112 114 Allocates memory in foreign processes 33->114 118 3 other signatures 33->118 46 explorer.exe 33->46         started        50 sihost64.exe 33->50         started        52 cmd.exe 33->52         started        116 Uses schtasks.exe or at.exe to add and modify task schedules 38->116 54 conhost.exe 38->54         started        56 schtasks.exe 1 38->56         started        file13 signatures14 process15 dnsIp16 96 51.15.55.100, 14433, 49712 OnlineSASFR France 46->96 98 217.182.169.148, 14433, 49714 OVHFR France 46->98 100 3 other IPs or domains 46->100 144 System process connects to network (likely due to code injection or exploit) 46->144 146 Query firmware table information (likely to detect VMs) 46->146 148 Multi AV Scanner detection for dropped file 50->148 150 Machine Learning detection for dropped file 50->150 58 conhost.exe 52->58         started        60 schtasks.exe 52->60         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 17:58:05 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ziymjfwg5hs7jpwghqb4od55xbbsoeq3yl65lsgaq3twwc3nzmpq._file
Verdict:
malicious
Similar samples:
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
CoinMiner
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
283473a88217ba51d59c416ec4df9a019df2954d592dafbd60ac9b6df58abd96
CoinMiner
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
CoinMiner
+ 134 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210818-rfz2zsxqe6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
MD5 hash:
e5bb00c6296d8591fd055f8c8313a821
SHA1 hash:
dbb9755c29becc56d8528ab352b1bca937274d44
Link:
https://www.unpac.me/results/52c79fc8-b6b3-4eb7-82b8-35eabdcf37e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1536090/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180418/

Comments