MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608
SHA3-384 hash: 6fd6c25a2675d70c4390450ca2186cc0c9e5e00fe8a75c2cc621b7041e30542786f1bf4cbd83377279a454fb899812c9
SHA1 hash: 50c9c4e3aa71e05398b364d74f9d0fa3707b5358
MD5 hash: 90c9a6d5e1dbd5f953dc5f4101d7c016
humanhash: purple-pennsylvania-fourteen-two
File name:90c9a6d5e1dbd5f953dc5f4101d7c016
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'294'152 bytes
First seen:2022-03-23 07:21:18 UTC
Last seen:2022-03-25 06:57:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4095a0d90406c8428c5d9a9c6b05b7 (26 x CoinMiner, 4 x CoinMiner.XMRig)
ssdeep 49152:2oqnOJIee2llcqxbuZdMLiYTL+5/Dn43CsVs2KL6/lVuCrTcWTUU9ouAIpm:27ngdlcqxbCMLiXSC0r0U
Threatray 290 similar samples on MalwareBazaar
TLSH T165E501AE6268231CC41E89385937FD0472F6961F57F8996E70CFFEC02BAB511D942B42
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
https://cdn.discordapp.com/attachments/934006169125679147/954660553576570930/Setup.zip?file=Your+File+Is+Ready+To+Download.zip
Verdict:
Malicious activity
Analysis date:
2022-03-23 02:20:39 UTC
Tags:
trojan socelars stealer loader evasion opendir rat redline vidar arkei ransomware stop
Link:
https://app.any.run/tasks/18666eea-d1a8-4986-9bd7-4ece4f1223e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255376/
Detection(s):
SecuriteInfo.com.Artemis90C9A6D5E1DB.7106.1745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
DNS request
Searching for synchronization primitives
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10702/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/623acaac0cd58dbd92ddc39b/reports/94180aa4-b257-40ed-b512-008fd0aeecea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80842524-346a-4e79-9c70-713e8ceac842
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962455
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 594936 Sample: HN5dcB7FyE Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 70 easyproducts.org 2->70 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 9 other signatures 2->86 9 HN5dcB7FyE.exe 1 5 2->9         started        14 RegHost.exe 1 2->14         started        signatures3 process4 dnsIp5 72 185.137.234.33, 49773, 49774, 8080 SELECTELRU Russian Federation 9->72 54 C:\Users\user\AppData\...\RegModule.exe, PE32+ 9->54 dropped 56 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 9->56 dropped 58 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 9->58 dropped 60 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 9->60 dropped 88 Hijacks the control flow in another process 9->88 90 Injects code into the Windows Explorer (explorer.exe) 9->90 92 Writes to foreign memory regions 9->92 94 Injects a PE file into a foreign processes 9->94 16 notepad.exe 1 9->16         started        20 explorer.exe 1 9->20         started        22 bfsvc.exe 1 9->22         started        24 conhost.exe 9->24         started        96 Allocates memory in foreign processes 14->96 98 Modifies the context of a thread in another process (thread injection) 14->98 100 Tries to detect virtualization through RDTSC time measurements 14->100 26 notepad.exe 1 14->26         started        28 explorer.exe 1 14->28         started        30 bfsvc.exe 1 14->30         started        32 conhost.exe 14->32         started        file6 signatures7 process8 dnsIp9 62 135.125.238.108 AVAYAUS United States 16->62 64 xmr-eu1.nanopool.org 16->64 74 System process connects to network (likely due to code injection or exploit) 16->74 76 Query firmware table information (likely to detect VMs) 16->76 78 Blacklisted process start detected (Windows program) 16->78 34 conhost.exe 16->34         started        36 curl.exe 1 20->36         started        38 conhost.exe 20->38         started        40 curl.exe 20->40         started        42 conhost.exe 22->42         started        66 46.105.31.147 OVHFR France 26->66 68 xmr-eu1.nanopool.org 26->68 44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 curl.exe 28->48         started        50 conhost.exe 30->50         started        signatures10 process11 process12 52 conhost.exe 36->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-22 18:38:01 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4arlsjefeajfykdqqteso4n3k2hi6lhf36ld74z7kzw6yo4jwyea._file
Verdict:
malicious
Similar samples:
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
1fca453f1f9a6acf20ba5a9828178d70426e7f8e58ec6116f2aacf96053e0037
CoinMiner
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
CoinMiner
c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
CoinMiner
cf9d82a4d67beb905befac24665ccb76ac0bc9de390e335ab393072c5c37d281
CoinMiner
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
CoinMiner
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
CoinMiner
fe7e378c72ec43fca46360a46a8fc8c0d5ec0f4739ce3286610774fdec47edda
CoinMiner
+ 280 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/220323-h7albahdf5/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608
MD5 hash:
90c9a6d5e1dbd5f953dc5f4101d7c016
SHA1 hash:
50c9c4e3aa71e05398b364d74f9d0fa3707b5358
Link:
https://www.unpac.me/results/266c68c7-2413-40d2-b92b-2c0b19a3bdac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e022b9248520125c287084c92771bb568e8f2ce5df963ff33f566dec3b89b608

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111860/
Cape
Cape
https://www.capesandbox.com/analysis/255376/

Comments


Avatar
zbet commented on 2022-03-23 07:21:21 UTC

url : hxxp://file-coin-coin-10.com/files/2911_1647958086_1714.exe