MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf
SHA3-384 hash: c701631aade158b1e575b94c0beb718241869b04dc26e5cf1c4bd815da06c208420ca74951634ca2a259325b4baaec23
SHA1 hash: 636cc3bd72cbc0200ef452d752eeff25740d9905
MD5 hash: 5f996671a4265bf0aa8862d8d77df5cd
humanhash: four-utah-mike-oregon
File name:5f996671a4265bf0aa8862d8d77df5cd.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:177'664 bytes
First seen:2021-09-05 21:18:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:umohC8Vmc/JhyvqUlpfkTGqHKsswTaBBCVMNTbP8+Dyn:g4WJdM+LHhzOBN
Threatray 75 similar samples on MalwareBazaar
TLSH T18F0434968CE60B2ACF7F4E399EE0465B51D53C262304998F9FA40F535A1E3CF4E4D1A2
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5f996671a4265bf0aa8862d8d77df5cd.exe
Verdict:
Malicious activity
Analysis date:
2021-09-05 21:21:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c8416ef-fea1-4890-823f-0c7cb1fe3242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185478/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.27529.1496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% directory
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a window
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8f7f746-bdea-4412-b4dc-e29472f4c71e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845607
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478038 Sample: wJtL8lkk83.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 119 Sigma detected: Xmrig 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 11 other signatures 2->125 9 wJtL8lkk83.exe 4 2->9         started        12 services64.exe 5 2->12         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 process3 file4 87 C:\Users\user\AppData\Local\...\chrome3.exe, PE32+ 9->87 dropped 89 C:\Users\user\...\JoBrowserInst364.exe, PE32 9->89 dropped 91 C:\Users\user\AppData\...\wJtL8lkk83.exe.log, ASCII 9->91 dropped 19 JoBrowserInst364.exe 15 7 9->19         started        24 chrome3.exe 5 9->24         started        165 Multi AV Scanner detection for dropped file 12->165 167 Injects code into the Windows Explorer (explorer.exe) 12->167 169 Writes to foreign memory regions 12->169 171 3 other signatures 12->171 26 explorer.exe 12->26         started        28 cmd.exe 12->28         started        30 sihost64.exe 12->30         started        32 WerFault.exe 15->32         started        signatures5 process6 dnsIp7 103 iplogger.org 88.99.66.31, 443, 49725, 49726 HETZNER-ASDE Germany 19->103 105 one-online-gam3s.com 172.67.151.109, 443, 49724 CLOUDFLARENETUS United States 19->105 73 C:\Users\user\AppData\Roaming\7190696.exe, PE32 19->73 dropped 75 C:\Users\user\AppData\Roaming\5489439.exe, PE32 19->75 dropped 77 C:\Users\user\AppData\Roaming\6684412.exe, PE32 19->77 dropped 147 Multi AV Scanner detection for dropped file 19->147 149 Detected unpacking (changes PE section rights) 19->149 151 May check the online IP address of the machine 19->151 34 7190696.exe 19->34         started        38 5489439.exe 19->38         started        41 6684412.exe 19->41         started        79 C:\Users\user\AppData\...\services64.exe, PE32+ 24->79 dropped 153 Machine Learning detection for dropped file 24->153 43 services64.exe 14 6 24->43         started        45 cmd.exe 1 24->45         started        107 185.71.66.31, 14433, 49743 STORMSYSTEMS-ASRU Russian Federation 26->107 109 217.182.169.148, 14433, 49744 OVHFR France 26->109 111 3 other IPs or domains 26->111 155 System process connects to network (likely due to code injection or exploit) 26->155 157 Query firmware table information (likely to detect VMs) 26->157 47 conhost.exe 28->47         started        49 schtasks.exe 28->49         started        file8 signatures9 process10 dnsIp11 93 185.177.125.94, 49735, 57832 WORLDSTREAMNL Netherlands 34->93 95 api.ip.sb 34->95 127 Multi AV Scanner detection for dropped file 34->127 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->131 143 2 other signatures 34->143 51 conhost.exe 34->51         started        81 C:\Users\user\AppData\...\WinHoster.exe, PE32 38->81 dropped 133 Detected unpacking (changes PE section rights) 38->133 53 WinHoster.exe 38->53         started        97 gaveclothing.bar 104.21.67.232, 443, 49729, 49737 CLOUDFLARENETUS United States 41->97 56 WerFault.exe 41->56         started        99 sanctam.net 185.65.135.234, 49727, 58899 ESAB-ASSE Sweden 43->99 101 bitbucket.org 104.192.141.1, 443, 49728 AMAZON-02US United States 43->101 83 C:\Users\user\AppData\...\sihost64.exe, PE32+ 43->83 dropped 85 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 43->85 dropped 135 Writes to foreign memory regions 43->135 137 Allocates memory in foreign processes 43->137 139 Modifies the context of a thread in another process (thread injection) 43->139 145 2 other signatures 43->145 58 explorer.exe 43->58         started        61 sihost64.exe 43->61         started        63 cmd.exe 43->63         started        141 Uses schtasks.exe or at.exe to add and modify task schedules 45->141 65 conhost.exe 45->65         started        67 schtasks.exe 1 45->67         started        file12 signatures13 process14 dnsIp15 113 51.15.54.102, 14433, 49732 OnlineSASFR France 58->113 115 51.15.67.17, 14433, 49730, 49741 OnlineSASFR France 58->115 117 3 other IPs or domains 58->117 159 System process connects to network (likely due to code injection or exploit) 58->159 161 Query firmware table information (likely to detect VMs) 58->161 163 Multi AV Scanner detection for dropped file 61->163 69 conhost.exe 63->69         started        71 schtasks.exe 63->71         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 18:44:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02509150940d9d652f1f65aef43231c2bd30e5ff2816f02ecc3f93a63e11954e
CoinMiner
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
CoinMiner
4a1f935a5f94e5b3d7d0c79dcd01a96d69650bfeadc4a49d6548b118e82e1e16
CoinMiner
c370a10ff643e3c1eee6b00be7f9ef17135888bdb579708e2e62f1460195c7eb
CoinMiner
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
CoinMiner
cae7a9b20d104ac9d8bf84e222f57477bd0e41c00c2f440c83eb37b4f7de0f9b
CoinMiner
e64cb0d7c1d5abc6302fbb89ee2c0a56f105c6489712fc39d46f4086d6d96fdc
CoinMiner
f84c1b53daf8279593ae9a9f6d8590ceb488318ce70a09bf25bfbf494398a83c
CoinMiner
+ 65 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/210905-z5ntlachgk/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Unpacked files
SH256 hash:
cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf
MD5 hash:
5f996671a4265bf0aa8862d8d77df5cd
SHA1 hash:
636cc3bd72cbc0200ef452d752eeff25740d9905
Link:
https://www.unpac.me/results/e26237d2-ab80-47b1-a652-d5f0ea0b5dbd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cab75b043623fe8596e53030f9a9539993109a7014e5b3a1d5f723a54000fcbf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1536090/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185478/

Comments