MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42
SHA3-384 hash: da410a1d997f0a3df4df289248fc3aad1c68d1382ebcaeb08442070c8022ff8fb46622eecf5fbf8c8c818fa491897004
SHA1 hash: 73fd7c5009776f0001264d8041e9844a18630e00
MD5 hash: b40b2474c4cc44f5545dec1b9ab4f4b2
humanhash: jupiter-autumn-batman-alaska
File name:b40b2474c4cc44f5545dec1b9ab4f4b2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:855'552 bytes
First seen:2021-08-25 15:27:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hgu/N/E2iNadenef5+G9I1sQm2iNF2iNi4QissaMJcR/V:/W1M1j1esId
Threatray 526 similar samples on MalwareBazaar
TLSH T1D3059E3133CA246DF2D551325D61A689FA76987E7B63832F24AE2D2D64F3058C3D1A0F
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b40b2474c4cc44f5545dec1b9ab4f4b2.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 15:32:23 UTC
Tags:
loader opendir stealer trojan
Link:
https://app.any.run/tasks/f38d85cb-bdbc-467e-aa19-fd61a4398ca8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182353/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackNet RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49009ea7-51ee-4b7f-bbbf-1e7cc57cdcef
Result
Threat name:
Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839203
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471639 Sample: noapPl7Cpu.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 117 Sigma detected: Xmrig 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 6 other signatures 2->123 11 noapPl7Cpu.exe 14 7 2->11         started        16 Runtlme.exe 2->16         started        18 svchost.exe 2->18         started        20 8 other processes 2->20 process3 dnsIp4 107 swretjhwrtj.gq 104.21.46.21, 49701, 49705, 80 CLOUDFLARENETUS United States 11->107 93 C:\Users\user\AppData\Local\Temp\Build.exe, PE32 11->93 dropped 95 C:\Users\user\AppData\...\noapPl7Cpu.exe.log, ASCII 11->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\.dll, PE32+ 11->97 dropped 147 Tries to detect virtualization through RDTSC time measurements 11->147 22 Build.exe 129 11->22         started        149 Machine Learning detection for dropped file 16->149 151 Injects code into the Windows Explorer (explorer.exe) 16->151 153 Writes to foreign memory regions 16->153 157 3 other signatures 16->157 27 explorer.exe 16->27         started        29 cmd.exe 16->29         started        31 sihost64.exe 16->31         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 18->155 33 MpCmdRun.exe 18->33         started        109 127.0.0.1 unknown unknown 20->109 111 192.168.2.1 unknown unknown 20->111 file5 signatures6 process7 dnsIp8 103 141.95.21.134, 49702, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 22->103 81 C:\Users\user\AppData\Local\...\fasd[1].exe, PE32 22->81 dropped 83 C:\Program Files\file.exe, PE32 22->83 dropped 85 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 22->85 dropped 87 C:\ProgramData\sqlite3.dll, PE32 22->87 dropped 125 Antivirus detection for dropped file 22->125 127 Machine Learning detection for dropped file 22->127 129 Tries to harvest and steal browser information (history, passwords, etc) 22->129 135 2 other signatures 22->135 35 file.exe 14 7 22->35         started        39 cmd.exe 1 22->39         started        105 xmr.2miners.com 27->105 131 System process connects to network (likely due to code injection or exploit) 27->131 133 Query firmware table information (likely to detect VMs) 27->133 41 conhost.exe 29->41         started        43 schtasks.exe 29->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11 dnsIp12 101 swretjhwrtj.gq 35->101 77 C:\Users\user\AppData\Local\Temp\xmr.exe, PE32+ 35->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\.dll, PE32+ 35->79 dropped 47 xmr.exe 35->47         started        51 conhost.exe 39->51         started        53 timeout.exe 39->53         started        file13 process14 file15 99 C:\Users\user\AppData\Local\...\Runtlme.exe, PE32+ 47->99 dropped 115 Machine Learning detection for dropped file 47->115 55 Runtlme.exe 47->55         started        59 cmd.exe 47->59         started        signatures16 process17 file18 89 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 55->89 dropped 91 C:\Users\user\AppData\...\sihost64.exe, PE32+ 55->91 dropped 137 Injects code into the Windows Explorer (explorer.exe) 55->137 139 Writes to foreign memory regions 55->139 141 Allocates memory in foreign processes 55->141 145 3 other signatures 55->145 61 explorer.exe 55->61         started        65 cmd.exe 55->65         started        67 sihost64.exe 55->67         started        143 Uses schtasks.exe or at.exe to add and modify task schedules 59->143 69 conhost.exe 59->69         started        71 schtasks.exe 59->71         started        signatures19 process20 dnsIp21 113 xmr.2miners.com 51.89.96.41, 12222, 49709, 49710 OVHFR France 61->113 159 System process connects to network (likely due to code injection or exploit) 61->159 161 Query firmware table information (likely to detect VMs) 61->161 73 conhost.exe 65->73         started        75 schtasks.exe 65->75         started        signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 14:12:16 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3pk2bacxbcsrkmrqndh4si53haqnbd6vkijbbj4z5x2kixbxnba._file
Verdict:
malicious
Similar samples:
02509150940d9d652f1f65aef43231c2bd30e5ff2816f02ecc3f93a63e11954e
CoinMiner
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
CoinMiner
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
CoinMiner
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
CoinMiner
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
CoinMiner
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
CoinMiner
+ 516 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery miner spyware stealer
Link:
https://tria.ge/reports/210825-23lngkhb96/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
MD5 hash:
edd74be9723cdc6a5692954f0e51c9f3
SHA1 hash:
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
Link:
https://www.unpac.me/results/efe2d8e9-ee8c-40a7-a18e-651440336f78/
SH256 hash:
cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42
MD5 hash:
b40b2474c4cc44f5545dec1b9ab4f4b2
SHA1 hash:
73fd7c5009776f0001264d8041e9844a18630e00
Link:
https://www.unpac.me/results/efe2d8e9-ee8c-40a7-a18e-651440336f78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cedead0402b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1559356/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182353/

Comments