MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cce2e22b624487d4fb6a7291c8cb8f24fcbcf29d68a4b5a96c6dd2550059dd4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: cce2e22b624487d4fb6a7291c8cb8f24fcbcf29d68a4b5a96c6dd2550059dd4c
SHA3-384 hash: 86356322d08b470fc7a7d65ed0c4de70e53576c7c9b56b667e6a5a9eb743cfe084d7034c5a087c8ad9ba5dcb12ba854a
SHA1 hash: 6fef3255e08cfcf60ded3317e5aa96ce7be58520
MD5 hash: 224c1d353e3de4354f174e38b4bd4b76
humanhash: montana-ten-zulu-foxtrot
File name:9.971505116492501.png
Download: download sample
Signature CoinMiner
File size:2'568'584 bytes
First seen:2022-04-14 06:51:56 UTC
Last seen:2022-04-14 07:39:24 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:WOqNAKvgsVR0Cdcq4ZQyLvaP2SE7SUldX2MneyBKoFODHT9WY7:5/2JqQ+vywX2o1VFi
TLSH T18FC5220BF5019AAFC36846B028E7CBF8237BA459E7470777265C634AFC863761F46990
Reporter jSh95924973
Tags:CoinMiner elf

Intelligence


File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
116
Number of processes launched:
26
Processes remaning?
false
Remote TCP ports scanned:
8080,22,6379,8161
Behaviour
Persistence
Botnet C2s
TCP botnet C2(s):
104.18.115.97:80
104.18.114.97:80
UDP botnet C2(s):
not identified
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many IPs within the same subnet mask (likely port scanning)
Connects to many ports of the same IP (likely port scanning)
Creates /etc/ld.so.preload
Deletes /etc/ld.so.preload (likely AV evasion)
Drops files in suspicious directories
Found strings indicative of a multi-platform dropper
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample deletes itself
Sample scans a subnet
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609129 Sample: 9.971505116492501.png Startdate: 14/04/2022 Architecture: LINUX Score: 100 67 icanhazip.com 2->67 69 84.17.2.200, 22, 6379, 8080 MTSRU Russian Federation 2->69 71 101 other IPs or domains 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 5 other signatures 2->81 13 9.971505116492501.png 2->13         started        17 systemd snapd-env-generator 2->17         started        19 systemd snapd-env-generator 2->19         started        21 systemd snapd-env-generator 2->21         started        signatures3 79 May check the online IP address of the machine 67->79 process4 file5 65 /usr/local/sbin/9.9715051164925, ELF 13->65 dropped 93 Sample tries to persist itself using cron 13->93 23 9.971505116492501.png 9.971505116492501.png 13->23         started        signatures6 process7 signatures8 83 Sample tries to persist itself using cron 23->83 26 9.971505116492501.png 9.971505116492501.png 23->26         started        process9 file10 57 /var/spool/cron/root, ASCII 26->57 dropped 59 /var/spool/cron/crontabs/root, ASCII 26->59 dropped 61 /usr/local/sbin/rsyalogdsds, ELF 26->61 dropped 63 3 other malicious files 26->63 dropped 85 Creates /etc/ld.so.preload 26->85 87 Deletes /etc/ld.so.preload (likely AV evasion) 26->87 89 Drops files in suspicious directories 26->89 91 2 other signatures 26->91 30 9.971505116492501.png sh 26->30         started        32 9.971505116492501.png rsyalogdsds 26->32         started        34 9.971505116492501.png sh 26->34         started        36 2 other processes 26->36 signatures11 process12 process13 38 sh systemctl 30->38         started        40 sh systemctl 30->40         started        42 rsyalogdsds 32->42         started        process14 44 systemctl systemd-sysv-install 38->44         started        process15 46 systemd-sysv-install update-rc.d 44->46         started        49 systemd-sysv-install update-rc.d 44->49         started        51 systemd-sysv-install getopt 44->51         started        signatures16 95 Sample tries to persist itself using System V runlevels 46->95 53 update-rc.d systemctl 46->53         started        55 update-rc.d systemctl 49->55         started        process17
Threat name:
Linux.Trojan.Generic
Status:
Suspicious
First seen:
2019-12-20 13:00:18 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
linux
Behaviour
GoLang User-Agent
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_antiunpack_elf32
Author:JPCERT/CC Incident Response Group
Description:UPX Anti-Unpacking technique to magic renamed for ELF32

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments