MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f
SHA3-384 hash: a9f0f5ae728ffc50dd7523d4472eb9508d0302dfe87ea9b1f5fc033da791d1955984720d72c67bc135660c56267af63f
SHA1 hash: 6cc027feeed8bb940d29f217fd47256d5d319294
MD5 hash: 4d922b11d1ef79b6d15ec66d4884ca32
humanhash: jupiter-ceiling-fish-cat
File name:4d922b11d1ef79b6d15ec66d4884ca32
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'993'216 bytes
First seen:2023-09-08 14:54:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fdd3d21d2193b717f076a70dfaa659c (14 x CoinMiner)
ssdeep 98304:0fY/i+Hnr2x88daF4PNlkLvKTntz9FTxgDHpaoN7S9X5dP3oT/Er2584EvoTvrUQ:u1+8Rdu0lk2LthVaEFRyO4EvoPbjOIG
Threatray 1 similar samples on MalwareBazaar
TLSH T168A6C01C0510266BDC3E677B730E4070FAB09FAF766B8CAD64B8D753792A0C1658AD63
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8edcba96868ed8f0 (1 x CoinMiner, 1 x RaccoonStealer)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4d922b11d1ef79b6d15ec66d4884ca32
Verdict:
Malicious activity
Analysis date:
2023-09-08 14:57:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea181c34-01b8-4cc0-9b77-6a9947ae2717

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447461/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.11935.2715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug evasive packed
Link:
https://www.filescan.io/uploads/64fb35c8beb4aca5960fad0f/reports/ba72e20f-33c7-4c71-b378-a58be7c73655/overview
Verdict:
Malicious
Labled as:
Win64/ShellcodeRunner_AGeneric.AH trojan
Link:
https://www.hybrid-analysis.com/sample/e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9ccb5ce4-41ac-4184-8951-8ac8f9273114
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306252
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Found hidden mapped module (file has been removed from disk)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306252 Sample: rXlmqTT5HN.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 4 other signatures 2->58 6 updater.exe 4 2->6         started        10 rXlmqTT5HN.exe 3 2->10         started        12 cmd.exe 1 2->12         started        14 7 other processes 2->14 process3 file4 36 C:\Users\user\AppData\...\qxdlqptejkgz.sys, PE32+ 6->36 dropped 38 C:\Users\user\AppData\...\dalngeulogap.tmp, PE32+ 6->38 dropped 60 Antivirus detection for dropped file 6->60 62 Multi AV Scanner detection for dropped file 6->62 64 Writes to foreign memory regions 6->64 68 4 other signatures 6->68 16 dwm.exe 6->16         started        20 conhost.exe 6->20         started        40 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 10->40 dropped 66 Adds a directory exclusion to Windows Defender 10->66 22 conhost.exe 12->22         started        24 sc.exe 1 12->24         started        32 4 other processes 12->32 26 conhost.exe 14->26         started        28 conhost.exe 14->28         started        30 conhost.exe 14->30         started        34 5 other processes 14->34 signatures5 process6 dnsIp7 42 ppanel.pornsworld.xyz 172.67.185.119, 443, 49727 CLOUDFLARENETUS United States 16->42 44 104.21.68.25, 443, 49767 CLOUDFLARENETUS United States 16->44 46 4 other IPs or domains 16->46 48 Query firmware table information (likely to detect VMs) 16->48 50 Performs DNS queries to domains with low reputation 16->50 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2023-09-08 14:55:08 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4drx34gmssct2f2aovxepxstujfbqxtr5rfkwnqgdfikrzsimuhq._file
Verdict:
malicious
Similar samples:
3a5854283ec8b747cb9bec546ba88ac630e65f00ecf77e25bb89d791c1c0005b
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/230908-sae5mscg39/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Stops running service(s)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f
MD5 hash:
4d922b11d1ef79b6d15ec66d4884ca32
SHA1 hash:
6cc027feeed8bb940d29f217fd47256d5d319294
Link:
https://www.unpac.me/results/dd5ad806-e57e-4559-9eaf-8dec7828e595/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0e37df0cc94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447461/
  
URLhaus
https://urlhaus.abuse.ch/url/2710582/
  
URLhaus
https://urlhaus.abuse.ch/url/2710799/

Comments


Avatar
zbet commented on 2023-09-08 14:54:23 UTC

url : hxxp://81.161.229.120/raw/x/XCheck.exe