MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76
SHA3-384 hash: 7b2b419e4526d0cda16ff2775ae6b99a7e86dc0624b581eb6941bad63da04c33316a43f8762c576e41f51bd76a05f176
SHA1 hash: 8e3f773e72561716cab675d1b253e8bc70c8dd0a
MD5 hash: a6d424967815bfe9673a92be85fb490e
humanhash: wisconsin-edward-video-cat
File name:brave4.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:518'656 bytes
First seen:2022-10-24 12:01:19 UTC
Last seen:2022-10-24 14:18:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48e414e431433a62713440d22abb8343 (1 x CoinMiner)
ssdeep 12288:7575ri5etuwTqG2cPsga+xYLTfxNWdKhl+w28toMbQaT6:757c5Y12vyYnxNWd8+w204
Threatray 61 similar samples on MalwareBazaar
TLSH T165B4E0466E9719E2C7C0EFB53A00E3316BD38D9B2D1582428AF5FCA7382D7662DC3185
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 34f0f0b49cc87270 (1 x CoinMiner)
Reporter JAMESWT_WT
Tags:CoinMiner drop after exec exe github-com-Crac1Ma1ker

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
test.7z
Verdict:
Malicious activity
Analysis date:
2022-10-24 11:50:35 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/fd4e4f3d-23ed-4b3f-baee-b61936ffd8e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323364/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Clipbanker.10007.6487.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9e5a055-9396-4371-8d0e-73615fadef92
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096479
Signature
Antivirus detection for dropped file
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Snort IDS alert for network traffic
Suspicious powershell command line found
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729122 Sample: brave4.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 67 ip-api.com 2->67 83 Snort IDS alert for network traffic 2->83 85 Sigma detected: Xmrig 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 9 other signatures 2->89 11 brave4.exe 5 21 2->11         started        16 wscript.exe 1 2->16         started        signatures3 process4 dnsIp5 71 api64.ipify.org 108.171.202.195, 443, 49698 WEBNXUS United States 11->71 73 discord.com 162.159.128.233, 443, 49699 CLOUDFLARENETUS United States 11->73 75 gleaming-swan-a8f5db.netlify.app 34.159.58.69, 443, 49695, 49696 ATGS-MMD-ASUS United States 11->75 59 C:\Users\user\AppData\...\nvrtc64_102_0.dll, PE32+ 11->59 dropped 61 C:\Users\user\...\nvrtc-builtins64_102.dll, PE32+ 11->61 dropped 63 C:\Users\user\AppData\Roaming\...\nvcuda.dll, PE32 11->63 dropped 65 6 other files (5 malicious) 11->65 dropped 93 Detected unpacking (changes PE section rights) 11->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->95 97 Suspicious powershell command line found 11->97 99 3 other signatures 11->99 18 wscript.exe 1 11->18         started        20 powershell.exe 12 11->20         started        22 AntimalwareService.exe 16->22         started        26 GPUMonitor.exe 16->26         started        28 DesktopSessionManager.exe 16->28         started        file6 signatures7 process8 dnsIp9 30 AntimalwareService.exe 1 18->30         started        34 GPUMonitor.exe 1 18->34         started        36 DesktopSessionManager.exe 18->36         started        38 cmd.exe 1 20->38         started        40 conhost.exe 20->40         started        69 xmr.2miners.com 22->69 91 Query firmware table information (likely to detect VMs) 22->91 42 conhost.exe 22->42         started        44 conhost.exe 26->44         started        signatures10 process11 dnsIp12 77 xmr.2miners.com 162.19.139.184, 2222, 49700, 49702 CENTURYLINK-US-LEGACY-QWESTUS United States 30->77 79 192.168.2.1 unknown unknown 30->79 101 Antivirus detection for dropped file 30->101 103 Multi AV Scanner detection for dropped file 30->103 105 Query firmware table information (likely to detect VMs) 30->105 46 conhost.exe 30->46         started        107 Machine Learning detection for dropped file 34->107 48 conhost.exe 34->48         started        109 Suspicious powershell command line found 38->109 50 cmd.exe 1 38->50         started        53 conhost.exe 38->53         started        signatures13 111 Detected Stratum mining protocol 77->111 process14 signatures15 81 Suspicious powershell command line found 50->81 55 powershell.exe 21 50->55         started        process16 process17 57 conhost.exe 55->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-24 01:51:00 UTC
File Type:
PE+ (Exe)
Extracted files:
25
AV detection:
7 of 41 (17.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ijirtb4nkajvrcxf4yrwgqawydhizmbmx5b56oen3c5qgwwfz3a._file
Verdict:
malicious
Similar samples:
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
CoinMiner
60a1499fbadda5bb1da2ee13994de117ddbc02e669644cbe3585c84f35937a49
CoinMiner
786cfe1759666fb139dcee757637e7c0d92586caaf6020eb60b455d7bd2251e8
CoinMiner
d4b8bb0d23cc76d722839af1760053357bc39708d9712af2a882019cbe696613
CoinMiner
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
CoinMiner
e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c
CoinMiner
e8be5d6a1b9d5c0ba0f731f607234ab2834a322b8272b39997c4af23b626f659
CoinMiner
f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797
CoinMiner
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221024-n7fp8agcg4/
Unpacked files
SH256 hash:
e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76
MD5 hash:
a6d424967815bfe9673a92be85fb490e
SHA1 hash:
8e3f773e72561716cab675d1b253e8bc70c8dd0a
Link:
https://www.unpac.me/results/460c081d-6093-4474-b059-cb6511b283b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2382152/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/323364/

Comments