MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a
SHA3-384 hash: 76d70428d300b66d29b8f387d8aface7e39d0fdb97c866decfb777a8c65740af767f9cf2d2fe29a00a97fb2e0a4435d8
SHA1 hash: 62c0dc9c9c7f15837020ca78d52b8aeeb7aadba4
MD5 hash: 2a4c75799e5d2ea8618d085fdee81c13
humanhash: tennis-green-network-sierra
File name:2a4c75799e5d2ea8618d085fdee81c13
Download: download sample
Signature CoinMiner
Create hunting rule
File size:245'760 bytes
First seen:2022-04-08 12:44:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:9M9vSfo3jVFbnq44AKHNsbyEuzwDyJV4RfAjzOO0Cb20gYyNMDvhH:QqfKbnq44AeNsbyEuzwDyJV4RfAjzOOt
Threatray 1'569 similar samples on MalwareBazaar
TLSH T15C3445AC765072EFC857D872CAA81C64EB5074BB931B9203902716EDEA4D99BDF140F3
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ab06801277c6efb587c0929d9d1d12ed.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 07:07:13 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/06637ea2-af69-4425-a8fc-6acc68cf9e47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262154/
Detection(s):
Win.Malware.Agen-9942893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Searching for synchronization primitives
Searching for the Windows task manager window
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a window
Sending a custom TCP request
Sending an HTTP POST request
DNS request
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer obfuscated packed replace.exe virus
Link:
https://www.filescan.io/uploads/62502e50d53a7479dadb8029/reports/88264da5-1925-4a2d-85c4-314def15593c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b0971264-fd52-4b17-9201-59967553cac7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973162
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605649 Sample: lfNuCdFY0q Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 97 Sigma detected: Xmrig 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 14 other signatures 2->103 11 lfNuCdFY0q.exe 5 4 2->11         started        15 Windows Security.exe 5 4 2->15         started        17 svchost.exe 2->17         started        19 10 other processes 2->19 process3 dnsIp4 81 C:\Users\user\...\Windows Security.exe, PE32 11->81 dropped 83 C:\...\Windows Security.exe:Zone.Identifier, ASCII 11->83 dropped 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->127 22 cmd.exe 1 11->22         started        24 cmd.exe 15->24         started        26 cmd.exe 15->26         started        129 Changes security center settings (notifications, updates, antivirus, firewall) 17->129 30 MpCmdRun.exe 17->30         started        87 127.0.0.1 unknown unknown 19->87 89 192.168.2.1 unknown unknown 19->89 file5 signatures6 process7 file8 32 Windows Security.exe 14 5 22->32         started        37 conhost.exe 22->37         started        39 c.exe 24->39         started        41 conhost.exe 24->41         started        79 C:\Users\user\AppData\Local\...\tmp6E3A.vbs, ASCII 26->79 dropped 125 Command shell drops VBS files 26->125 43 conhost.exe 26->43         started        45 cscript.exe 26->45         started        47 conhost.exe 30->47         started        signatures9 process10 dnsIp11 85 193.233.48.87, 27941, 49735, 49740 NETIS-ASRU Russian Federation 32->85 75 C:\Users\user\AppData\Roaming\...\c.exe, PE32 32->75 dropped 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->105 49 cmd.exe 32->49         started        51 cmd.exe 2 32->51         started        107 Modifies the context of a thread in another process (thread injection) 39->107 109 Injects a PE file into a foreign processes 39->109 55 c.exe 39->55         started        file12 signatures13 process14 dnsIp15 58 c.exe 49->58         started        61 conhost.exe 49->61         started        77 C:\Users\user\AppData\Local\...\tmp278C.vbs, ASCII 51->77 dropped 111 Command shell drops VBS files 51->111 63 cscript.exe 1 51->63         started        65 conhost.exe 51->65         started        93 142.132.131.248 UNIVERSITYOFWINNIPEG-ASNCA Canada 55->93 95 pool.hashvault.pro 55->95 113 Query firmware table information (likely to detect VMs) 55->113 67 conhost.exe 55->67         started        file16 signatures17 process18 signatures19 117 Multi AV Scanner detection for dropped file 58->117 119 Machine Learning detection for dropped file 58->119 121 Modifies the context of a thread in another process (thread injection) 58->121 123 Injects a PE file into a foreign processes 58->123 69 c.exe 58->69         started        process20 dnsIp21 91 pool.hashvault.pro 46.4.27.39 HETZNER-ASDE Germany 69->91 115 Query firmware table information (likely to detect VMs) 69->115 73 conhost.exe 69->73         started        signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a/
Threat name:
ByteCode-MSIL.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 12:37:25 UTC
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cfcroqyuh2vbyv73kwxwlwp42rh5cp36fcigapzrohpyqwvzcna._file
Verdict:
malicious
Similar samples:
02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224
CoinMiner
04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2
CoinMiner
0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98
CoinMiner
392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b
CoinMiner
47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
CoinMiner
6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c
CoinMiner
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
CoinMiner
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
CoinMiner
d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55
CoinMiner
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
CoinMiner
+ 1'559 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220408-py158scgc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
e872aab8113759a2d1a40219c21986587c1d2f747dc8f3b7d23acfb338abd79d
MD5 hash:
debba131d801afeaf75971f8c5a26977
SHA1 hash:
2c137d9574f8f3b4cebda0c340bbe29f446000e3
Link:
https://www.unpac.me/results/c8f5b45c-8cb1-4980-a12f-14857ca88afc/
SH256 hash:
d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a
MD5 hash:
2a4c75799e5d2ea8618d085fdee81c13
SHA1 hash:
62c0dc9c9c7f15837020ca78d52b8aeeb7aadba4
Link:
https://www.unpac.me/results/c8f5b45c-8cb1-4980-a12f-14857ca88afc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/262154/
  
URLhaus
https://urlhaus.abuse.ch/url/2137301/

Comments


Avatar
zbet commented on 2022-04-08 12:44:54 UTC

url : hxxp://107.189.6.214/verGTYnz/build.exe