MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec
SHA3-384 hash: 6c09c186fd69bb47654ec28fe9d132e4545985ef10e9ba75f658cd13f491bc8365d782b5c9e663f01acb729a7ca1c16a
SHA1 hash: 5cd75a85d5a8d9d86403527289bce54982a22dc1
MD5 hash: 35309a7f136e2c60ac74e53d0963a1e1
humanhash: echo-equal-papa-four
File name:SecuriteInfo.com.Trojan.Inject4.43325.7583.18575
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'773'248 bytes
First seen:2022-09-25 07:09:40 UTC
Last seen:2023-08-26 21:08:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:Pv5UAWrtJP706QWu8Cx6TTryUAv9Z0HfkN:n5hWrtl706Q/IH1Av9yHf
Threatray 1'043 similar samples on MalwareBazaar
TLSH T1F4663390BB669E51E4565FF3A070FA79F860BD4E18B3820ED0053DDF2D2BD2F2A454A1
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f4f4d0f0f2b0a496 (2 x CoinMiner, 1 x AsyncRAT)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313117/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.43325.7583.18575.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed warp
Link:
https://www.filescan.io/uploads/632fff45a59981e85f89e2a7/reports/2ed3dc42-584b-4d40-b68a-ed76994b2a2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fa1a939-4914-4a6b-a3fe-6ea9bfd8b0f6
Result
Threat name:
Xmrig, lolMiner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076784
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected lolMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709326 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 25/09/2022 Architecture: WINDOWS Score: 100 38 Antivirus detection for URL or domain 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 9 other signatures 2->44 8 SecuriteInfo.com.Trojan.Inject4.43325.7583.18575.exe 1 7 2->8         started        process3 file4 28 C:\Users\user\AppData\Roaming\...28anik.exe, PE32+ 8->28 dropped 30 C:\Users\user\...30anik.exe:Zone.Identifier, ASCII 8->30 dropped 32 SecuriteInfo.com.T....7583.18575.exe.log, ASCII 8->32 dropped 46 Creates an undocumented autostart registry key 8->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->48 50 Encrypted powershell cmdline option found 8->50 52 4 other signatures 8->52 12 RegAsm.exe 2 8->12         started        15 powershell.exe 28 8->15         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roamingsigverif.exe, PE32+ 12->34 dropped 17 Roamingsigverif.exe 1 12->17         started        20 WerFault.exe 20 16 12->20         started        22 WerFault.exe 2 12->22         started        24 conhost.exe 15->24         started        process8 signatures9 36 Multi AV Scanner detection for dropped file 17->36 26 conhost.exe 17->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 02:18:10 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bay7jwds7sadmop3o2saiuwyrpko4iavzxzy7syndgdhe5iktwa._file
Verdict:
malicious
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
CoinMiner
67dc36b32a718de5d05b8ccf59d8a0415a76c8c42729065145f7f9da83726b7b
CoinMiner
84cd1c4ebba5b7315afd913e74d086f9ad5ed43f2cd5ad4c4535fabfeca7224b
CoinMiner
ac63d55dd8aa224f077cf87617c503811ede4ed385668ed9f173702710efee56
CoinMiner
acbc5e7367f627f945f99b9b6e5b3debe0ab53bd62474f2c8e59564e2883217f
CoinMiner
b4a4d9ba766e3333fc68276c91f49430f2f95c1b555fcf72697e33e80646c6c2
CoinMiner
bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7
CoinMiner
d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb
CoinMiner
fbd2cb021582048f9df1e5ae9a65c92e90bb9b3024763616ffa4043b18876239
CoinMiner
+ 1'033 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220925-hzc2gafabr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2984ed2a-1ede-4049-acd0-4bb68a041668
Unpacked files
SH256 hash:
e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec
MD5 hash:
35309a7f136e2c60ac74e53d0963a1e1
SHA1 hash:
5cd75a85d5a8d9d86403527289bce54982a22dc1
Link:
https://www.unpac.me/results/90fb9ad0-a278-421a-92b4-0f12e3f2efea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0418fa6c397/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e0418fa6c397e401b1cfdbb5202296c45ea77100ae6f9c7e5868cc3393a854ec

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/313117/
  
URLhaus
https://urlhaus.abuse.ch/url/2313228/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2313436/

Comments