MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c
SHA3-384 hash: 88a3328055b968dbf6c5c7911a2ca3df38d56329cfd47cc820d87d4f50c42b142efaaedc890e3c9c38f1a571d6502f5d
SHA1 hash: b1bccf4a24d19c2c5626d9de0a2af042e2be66e1
MD5 hash: a0e067202878bd30c6b2a0583982f1fd
humanhash: minnesota-equal-yellow-lamp
File name:a0e067202878bd30c6b2a0583982f1fd
Download: download sample
Signature CoinMiner
Create hunting rule
File size:450'560 bytes
First seen:2022-07-22 14:59:45 UTC
Last seen:2022-07-22 15:33:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7c63cc596fb58b7c13697106af6e6a0 (1 x CoinMiner.XMRig, 1 x CoinMiner)
ssdeep 12288:N9oobTPfcw8236lPye4sa4D0/EEq+oaq79Tqo5a:LLbzVjqn4snD0/E7+oa2Tq1
Threatray 2'136 similar samples on MalwareBazaar
TLSH T12BA49E1662A904F8E0B7D27CC9934947E67678160361D7EF03A8D6762F236E05E3EF60
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
427
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293430/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.23212.9650.2465.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen18.23212.5626.11235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Connecting to a non-recommended domain
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Delayed reading of the file
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27064/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe greyware hacktool keylogger
Link:
https://www.filescan.io/uploads/62dabbee7b83f958a96c4aa9/reports/c2ce1638-14dd-4e4f-aca4-321fcf5a1fac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/919a1f7b-d0f0-45dc-88b2-f7b96d7be0d7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039318
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates files in the system32 config directory
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 671812 Sample: 2dOeahdsto Startdate: 22/07/2022 Architecture: WINDOWS Score: 100 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for dropped file 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 4 other signatures 2->106 11 2dOeahdsto.exe 44 2->11         started        16 System.exe 21 2->16         started        process3 dnsIp4 88 api.telegram.org 149.154.167.220, 443, 49762, 49771 TELEGRAMRU United Kingdom 11->88 90 a0694063.xsph.ru 141.8.192.169, 49764, 80 SPRINTHOSTRU Russian Federation 11->90 98 2 other IPs or domains 11->98 78 C:\ProgramData\UpSys.exe, PE32+ 11->78 dropped 80 C:\ProgramData\Systemd\Database.exe, PE32+ 11->80 dropped 82 C:\ProgramData\MicrosoftNetwork\System.exe, PE32+ 11->82 dropped 86 2 other files (1 malicious) 11->86 dropped 120 May check the online IP address of the machine 11->120 122 Modifies the windows firewall 11->122 124 Adds a directory exclusion to Windows Defender 11->124 18 Database.exe 11->18         started        21 powershell.exe 30 11->21         started        23 Database.exe 11->23         started        31 27 other processes 11->31 92 3.220.57.224, 443, 49770 AMAZON-AESUS United States 16->92 94 192.168.2.1 unknown unknown 16->94 96 api.ipify.org 16->96 84 C:\ProgramData\Systemd\old.exe (copy), PE32+ 16->84 dropped 126 Multi AV Scanner detection for dropped file 16->126 128 Machine Learning detection for dropped file 16->128 25 powershell.exe 16->25         started        27 cmd.exe 16->27         started        29 cmd.exe 16->29         started        33 20 other processes 16->33 file5 signatures6 process7 signatures8 108 Antivirus detection for dropped file 18->108 110 Multi AV Scanner detection for dropped file 18->110 112 Machine Learning detection for dropped file 18->112 114 Uses netsh to modify the Windows network and firewall settings 21->114 35 UpSys.exe 21->35         started        43 2 other processes 21->43 116 Query firmware table information (likely to detect VMs) 23->116 45 3 other processes 25->45 37 taskkill.exe 27->37         started        39 conhost.exe 27->39         started        47 2 other processes 29->47 41 conhost.exe 31->41         started        49 33 other processes 31->49 51 22 other processes 33->51 process9 process10 53 UpSys.exe 35->53         started        55 conhost.exe 37->55         started        57 taskkill.exe 37->57         started        59 taskkill.exe 41->59         started        61 conhost.exe 41->61         started        63 UpSys.exe 45->63         started        process11 65 UpSys.exe 53->65         started        67 conhost.exe 59->67         started        69 taskkill.exe 59->69         started        71 UpSys.exe 63->71         started        process12 73 powershell.exe 65->73         started        signatures13 118 Creates files in the system32 config directory 73->118 76 conhost.exe 73->76         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 16:12:09 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hok3skmozm3clwkg5pdlbml62hkaktcmb4n2xsb5on63zlsif6a._file
Verdict:
malicious
Similar samples:
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
CoinMiner
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
CoinMiner
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
CoinMiner
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
CoinMiner
bc12a9f0d046b1c0e2d783f1ad825a0190669e36b00f1070d32bd55566be85ef
CoinMiner
cacc32ab0a1880afd74a040e8211662789cb70b252c25cb2d5971b707455ff5d
CoinMiner
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
CoinMiner
e0ba9bc255356e77c0953b12176294874fedc482796db4c2a3e8e23e1085ae0e
CoinMiner
f18081303b2e06b3bb5c6503a78350a1298dbc650a6bfa9961e3bf6e522d7a83
CoinMiner
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
CoinMiner
+ 2'126 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/220722-sdaz4afhe7/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c
MD5 hash:
a0e067202878bd30c6b2a0583982f1fd
SHA1 hash:
b1bccf4a24d19c2c5626d9de0a2af042e2be66e1
Link:
https://www.unpac.me/results/66ec028d-0196-4408-b386-274da3be7fc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/293430/
  
URLhaus
https://urlhaus.abuse.ch/url/2260184/

Comments


Avatar
zbet commented on 2022-07-22 14:59:48 UTC

url : hxxp://a0694063.xsph.ru/DllHost.exe