MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA3-384 hash: 5b6bc238708a28da5333d5228eb7b8f63ab5de253b370de0291df46c48e4609ae86ba47af90fcc7ba034e04586d00eb8
SHA1 hash: b40aceed9393e3d4c289b2cf477dd5dee76a39da
MD5 hash: e2fb72e358e13e40ae8327c3a9df8165
humanhash: september-four-alaska-ack
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'904'512 bytes
First seen:2022-11-02 22:04:31 UTC
Last seen:2022-11-11 23:36:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c24ea937b2b0d62e829e8a8faeff5a8d (26 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 98304:YhCXGuqU2NGGt1NeI4LRnojOISqQBX37KQlXwrDaqYT6A+W:zfgOIEqQBH7K0XmQJ
Threatray 2'748 similar samples on MalwareBazaar
TLSH T13E0623723973AF5EF91A0639D46F973874356C221A42FA2DCB1B84523EE064D733AD60
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter jstrosch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
C4Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-02 19:38:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e3b3393f-7132-4878-b605-67956eb83df4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327378/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Running batch commands
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Changing the hosts file
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47577/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6362e991791bb7e48afe1513/reports/450ae52d-cc17-4c01-ada2-d1ab10944ee8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be4aee3d-b041-41b9-95cc-93505930c73d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103784
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 736446 Sample: file.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 46 wowouch.net 2->46 48 clientbased.xyz 2->48 50 pastebin.com 2->50 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Antivirus detection for dropped file 2->58 60 10 other signatures 2->60 7 SmartScreenQC.exe 2->7         started        11 file.exe 4 2->11         started        13 cmd.exe 1 2->13         started        15 12 other processes 2->15 signatures3 process4 file5 36 C:\Windows\Temp\qgcjxnwn.tmp, PE32+ 7->36 dropped 38 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->38 dropped 62 Very long command line found 7->62 64 Writes to foreign memory regions 7->64 66 Modifies the context of a thread in another process (thread injection) 7->66 80 2 other signatures 7->80 17 dialer.exe 7->17         started        20 dialer.exe 7->20         started        40 C:\Users\user\AppData\Local\...\qgcjxnwn.tmp, PE32+ 11->40 dropped 42 C:\Program Files\...\SmartScreenQC.exe, PE32+ 11->42 dropped 44 C:\Windows\System32\drivers\etc\hosts, ASCII 11->44 dropped 68 Modifies the hosts file 11->68 70 Found hidden mapped module (file has been removed from disk) 11->70 72 Adds a directory exclusion to Windows Defender 11->72 22 dialer.exe 2 11->22         started        74 Uses cmd line tools excessively to alter registry or file data 13->74 24 reg.exe 1 13->24         started        26 reg.exe 1 13->26         started        28 reg.exe 1 13->28         started        32 8 other processes 13->32 76 Creates files in the system32 config directory 15->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 15->78 30 conhost.exe 15->30         started        34 23 other processes 15->34 signatures6 process7 signatures8 52 Adds a directory exclusion to Windows Defender 17->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408/
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 22:05:47 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ziwuem4fqeilged3fpzpmf5jmx3r65npv7243ws26nui4lx2qea._file
Verdict:
malicious
Similar samples:
0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
CoinMiner
5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94
CoinMiner
5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e
CoinMiner
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
CoinMiner
8226b5885ea94def0a895da5a98fdcbd826da231a0eaded5bfa380a84cf8d0d9
CoinMiner
93b19478b4902aa33f9722f5dd0c209cd0e7246d4ad6b3837dbe4eb8b103386b
CoinMiner
a647e223490db9af36e0794732566345a266e8793bc9a3e45ea58b5cbcd8435c
CoinMiner
ec7ee9dde198537f08df06105918ea77c1be48e8b988b4a9c3f54e7d27628de8
CoinMiner
fb0902eee42d919696c4f445165b1837b8274c9505ebd916fc820e63e9b1202e
CoinMiner
+ 2'738 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/221102-1zgzjaefgr/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/066e9b92-3c8d-4b6b-9d21-72ce0e0f0beb
Unpacked files
SH256 hash:
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
MD5 hash:
e2fb72e358e13e40ae8327c3a9df8165
SHA1 hash:
b40aceed9393e3d4c289b2cf477dd5dee76a39da
Link:
https://www.unpac.me/results/d989cc0d-7062-4086-b4be-316db8cb5b1f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6516a119c2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/327378/
  
URLhaus
https://urlhaus.abuse.ch/url/2393364/
  
URLhaus
https://urlhaus.abuse.ch/url/2389967/
  
URLhaus
https://urlhaus.abuse.ch/url/2385810/

Comments