MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165
SHA3-384 hash: f119e90f05abd35786160f7870b033d3f41185cc45b76a2080f4fef1df1bcd9e0ec5e58ea645fcd431cb7ed5cde53051
SHA1 hash: 6a52f048f821fda5ab3bac10a887fb48462a64d0
MD5 hash: 745e57d1e9ef58647a60e3d341589d0f
humanhash: thirteen-sad-bacon-oklahoma
File name:745e57d1e9ef58647a60e3d341589d0f
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'503'040 bytes
First seen:2021-09-25 05:02:24 UTC
Last seen:2021-09-25 05:57:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2a662be9dffc461398e7c94d0b55b4 (5 x GuLoader, 3 x CoinMiner, 3 x RedLineStealer)
ssdeep 98304:8lTmkKs5QV/57/Alz6eun3QqBAnzrMDMNBY5rr07JTZIIWSOhWu:NhsKVS56/3QCAnvjsrI7JTWIWSOT
Threatray 258 similar samples on MalwareBazaar
TLSH T1632612B6CE45A161F00B33F28E0ED1F94EC825DED525A5C6D07EE4BCDC642807BE25A6
File icon (PE):PE icon
dhash icon f0d4820ccecef4f8 (7 x AsyncRAT, 6 x XWorm, 5 x CoinMiner)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
745e57d1e9ef58647a60e3d341589d0f
Verdict:
No threats detected
Analysis date:
2021-09-25 05:05:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91eb5081-a1d9-4025-ab48-86eadbbcc0b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191305/
Detection(s):
SecuriteInfo.com.Variant.FakeAlert.2.13072.2699.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e2ede85-d0c5-4add-a15e-eeb90cab9f36
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857765
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490196 Sample: HTG6dLHzTZ Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 157 194.147.142.230, 49757, 49758, 7777 PTPEU unknown 2->157 159 51.255.34.118, 14433, 49756 OVHFR France 2->159 161 2 other IPs or domains 2->161 163 Sigma detected: Xmrig 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 10 other signatures 2->169 13 HTG6dLHzTZ.exe 2 2->13         started        17 msedge_web.exe 2->17         started        19 msedge.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 file5 147 C:\Users\user\AppData\...\msedge_web.exe, PE32+ 13->147 dropped 149 C:\Users\user\AppData\Local\Temp\msedge.exe, PE32+ 13->149 dropped 201 Adds a directory exclusion to Windows Defender 13->201 23 cmd.exe 1 13->23         started        25 cmd.exe 1 13->25         started        27 cmd.exe 1 13->27         started        151 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 17->151 dropped 203 Multi AV Scanner detection for dropped file 17->203 205 Machine Learning detection for dropped file 17->205 30 cmd.exe 17->30         started        32 cmd.exe 17->32         started        153 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 19->153 dropped 34 cmd.exe 19->34         started        36 cmd.exe 19->36         started        207 Changes security center settings (notifications, updates, antivirus, firewall) 21->207 signatures6 process7 signatures8 38 msedge_web.exe 5 23->38         started        41 conhost.exe 23->41         started        43 msedge.exe 5 25->43         started        45 conhost.exe 25->45         started        195 Adds a directory exclusion to Windows Defender 27->195 52 3 other processes 27->52 54 2 other processes 30->54 47 svchost32.exe 32->47         started        50 conhost.exe 32->50         started        56 2 other processes 34->56 process9 file10 177 Multi AV Scanner detection for dropped file 38->177 179 Machine Learning detection for dropped file 38->179 181 Adds a directory exclusion to Windows Defender 38->181 58 cmd.exe 38->58         started        60 cmd.exe 1 38->60         started        63 cmd.exe 43->63         started        65 cmd.exe 1 43->65         started        155 C:\Users\user\AppData\...\sihost32.exe, PE32+ 47->155 dropped signatures11 process12 signatures13 67 svchost32.exe 58->67         started        71 conhost.exe 58->71         started        73 conhost.exe 60->73         started        83 4 other processes 60->83 75 svchost64.exe 63->75         started        77 conhost.exe 63->77         started        197 Uses schtasks.exe or at.exe to add and modify task schedules 65->197 199 Adds a directory exclusion to Windows Defender 65->199 79 powershell.exe 22 65->79         started        81 conhost.exe 65->81         started        85 3 other processes 65->85 process14 file15 139 C:\Users\user\AppData\...\msedge_web.exe, PE32+ 67->139 dropped 171 Multi AV Scanner detection for dropped file 67->171 173 Machine Learning detection for dropped file 67->173 87 cmd.exe 67->87         started        89 msedge_web.exe 67->89         started        92 cmd.exe 67->92         started        141 C:\Users\user\AppData\Roaming\msedge.exe, PE32+ 75->141 dropped 175 Contains functionality to inject code into remote processes 75->175 94 msedge.exe 75->94         started        96 cmd.exe 75->96         started        98 cmd.exe 75->98         started        signatures16 process17 signatures18 100 schtasks.exe 87->100         started        102 conhost.exe 87->102         started        104 cmd.exe 89->104         started        117 2 other processes 92->117 193 Adds a directory exclusion to Windows Defender 94->193 107 cmd.exe 94->107         started        109 conhost.exe 96->109         started        111 schtasks.exe 96->111         started        113 conhost.exe 98->113         started        115 choice.exe 98->115         started        process19 signatures20 119 svchost64.exe 100->119         started        123 conhost.exe 100->123         started        125 conhost.exe 104->125         started        127 powershell.exe 104->127         started        137 2 other processes 104->137 183 Adds a directory exclusion to Windows Defender 107->183 129 conhost.exe 107->129         started        131 powershell.exe 107->131         started        133 powershell.exe 107->133         started        135 powershell.exe 107->135         started        process21 file22 143 C:\Users\user\AppData\...\sihost64.exe, PE32+ 119->143 dropped 145 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 119->145 dropped 185 Injects code into the Windows Explorer (explorer.exe) 119->185 187 Writes to foreign memory regions 119->187 189 Allocates memory in foreign processes 119->189 191 3 other signatures 119->191 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 18:25:17 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rrtocp4rhrmqwlns63rcnmrd5z7wun5jophvw5mk2jpykd3afsq._file
Verdict:
malicious
Similar samples:
02509150940d9d652f1f65aef43231c2bd30e5ff2816f02ecc3f93a63e11954e
CoinMiner
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
CoinMiner
24da5509b70608d8228be77f60df8279bf0b5f92f90b143d72a449db3f659ba6
CoinMiner
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
CoinMiner
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
CoinMiner
c370a10ff643e3c1eee6b00be7f9ef17135888bdb579708e2e62f1460195c7eb
CoinMiner
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
CoinMiner
f84c1b53daf8279593ae9a9f6d8590ceb488318ce70a09bf25bfbf494398a83c
CoinMiner
+ 248 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210925-fpqhpsaea2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165
MD5 hash:
745e57d1e9ef58647a60e3d341589d0f
SHA1 hash:
6a52f048f821fda5ab3bac10a887fb48462a64d0
Link:
https://www.unpac.me/results/9c05021d-51b0-42a9-a4ad-b8f0d026f48a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1094014/
  
URLhaus
https://urlhaus.abuse.ch/url/1094119/
Cape
Cape
https://www.capesandbox.com/analysis/191305/
  
URLhaus
https://urlhaus.abuse.ch/url/1643175/

Comments


Avatar
zbet commented on 2021-09-25 05:02:25 UTC

url : hxxp://194.147.142.230/download/activationeth.exe