MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372
SHA3-384 hash: db74356e871435b9bcd002c108380f9cd1f4ba6a550035f4d00cd0c191f2a1a2269b66729cec39b09d60ae64e5de0db6
SHA1 hash: e5e99de12e7113ca2b0cc5b7472920b1d457cdd3
MD5 hash: 2b8424d44a9d22b08b68af4e0f5ea9e6
humanhash: mexico-shade-glucose-mango
File name:2b8424d44a9d22b08b68af4e0f5ea9e6
Download: download sample
Signature CoinMiner
Create hunting rule
File size:623'104 bytes
First seen:2023-04-05 06:58:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:Nmdtg3kmf86lu1lsR9SBkrXeDGoHRMCoUhc9y95MxpwB6gbx:NctHmv79SwODGYRVoKgPwkc
Threatray 399 similar samples on MalwareBazaar
TLSH T103D43330C29B5372C57366BA4BB0BF553635E97038C95E0D7C8DE1A9ABB1BB158C70A0
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
616
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b8424d44a9d22b08b68af4e0f5ea9e6
Verdict:
Malicious activity
Analysis date:
2023-04-05 07:00:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7902c51c-985e-421c-97df-7f8f2c012513

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380197/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.26395.3604.2955.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642d1c3735c10d8aaf28a5ae/reports/246f1935-1e0d-4989-a682-104700877683/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afa5fb60-4523-4f50-b598-c4bf4ba8f427
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208622
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841538 Sample: HEniYX3JjX.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Sigma detected: Xmrig 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 11 other signatures 2->51 8 HEniYX3JjX.exe 1 3 2->8         started        process3 dnsIp4 37 185.225.74.185, 1334, 49696, 49697 MAYAKBG Germany 8->37 39 192.168.2.1 unknown unknown 8->39 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->65 67 Encrypted powershell cmdline option found 8->67 12 powershell.exe 14 17 8->12         started        signatures5 69 Detected Stratum mining protocol 37->69 process6 dnsIp7 41 filebin.net 185.47.40.36, 443, 49699 REDPILL-LINPRORedpillLinproNO Norway 12->41 43 situla.bitbit.net 87.238.33.8, 443, 49700 REDPILL-LINPRORedpillLinproNO Norway 12->43 27 C:\Users\user\AppData\Local\Temp\jpiumr.exe, PE32+ 12->27 dropped 71 Powershell drops PE file 12->71 17 jpiumr.exe 17 2 12->17         started        21 conhost.exe 12->21         started        file8 signatures9 process10 dnsIp11 29 transfer.sh 144.76.136.153, 443, 49743, 49786 HETZNER-ASDE Germany 17->29 53 Antivirus detection for dropped file 17->53 55 Multi AV Scanner detection for dropped file 17->55 57 Machine Learning detection for dropped file 17->57 59 5 other signatures 17->59 23 AddInProcess.exe 17->23         started        signatures12 process13 dnsIp14 31 rx-eu-lon.unminable.com 138.68.130.209, 3333, 49817 DIGITALOCEAN-ASNUS United States 23->31 33 rx.unmineable.com 23->33 35 2 other IPs or domains 23->35 61 Query firmware table information (likely to detect VMs) 23->61 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 01:05:04 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4czwdjnfncygec2x4wxslydcowl4ayz4fbiibjeq4iq4rfvoknza._file
Verdict:
malicious
Similar samples:
0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af
CoinMiner
2cc5eb71267dc9635107b324b5213b3e86082b369712355426046eeffcf2ee15
CoinMiner
36cea9a517889dd607921a87d2bd9ed04b2de4c465f17d52bd1e399aa979da83
CoinMiner
65a73b946adeca7edc624d85c9af02b3d607e1e65df2580a32fb143b9c40fc7f
CoinMiner
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
CoinMiner
6a019592f49db789478da1f5a63e673824a8bffacff9f99c5528072fb3b95ba1
CoinMiner
9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c
CoinMiner
a7496f64d8f6fedf5d7684e9b073afc39f7f0254ca3a35de6383445a9235329e
CoinMiner
f1b80af506aaf5f0f42514a80a0e5a9828b59a567337554983532308ab3a996f
CoinMiner
+ 389 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-hr3bdscc55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Unpacked files
SH256 hash:
e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372
MD5 hash:
2b8424d44a9d22b08b68af4e0f5ea9e6
SHA1 hash:
e5e99de12e7113ca2b0cc5b7472920b1d457cdd3
Link:
https://www.unpac.me/results/33c852ff-4758-43eb-bdf7-fff149f06289/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2598040/
Cape
Cape
https://www.capesandbox.com/analysis/380197/

Comments


Avatar
zbet commented on 2023-04-05 06:58:21 UTC

url : hxxps://filebin.net/al5dqiowja8bpmov/explorer.exe