MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064
SHA3-384 hash: 750e93c3551ee1cd5c959d9554a1b401fbc59b5f557fadf8a85aa796631bddaa9125355cd9e50ff66a719f33d9649e47
SHA1 hash: 79b7879f3c1319b9d5c4a3208a2b919a3d8535ea
MD5 hash: 22b0c2e5f6cd1849b1539d2d19023093
humanhash: four-enemy-cold-kitten
File name:22b0c2e5f6cd1849b1539d2d19023093
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'096 bytes
First seen:2021-11-21 09:30:33 UTC
Last seen:2021-11-21 13:11:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bfde1223391e32fec766cd1d41fa3e7 (7 x CoinMiner, 1 x BitRAT, 1 x QuasarRAT)
ssdeep 48:6Lt+Z5Wk7Jbm7YVSiIZqb+kGJ+JUnpZv8B13aLlzUR:fZ5R7xm7QSBZqbxGlkv3aLlYR
Threatray 200 similar samples on MalwareBazaar
TLSH T16181B4ABA6A9DD38C10302713A6202223BB7D3B3119043DBE99C54F5DF12D56A40F30D
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Onetap_v5.exe
Verdict:
Malicious activity
Analysis date:
2021-11-15 03:25:03 UTC
Tags:
trojan rat redline loader stealer
Link:
https://app.any.run/tasks/d9134787-3d61-4028-aee2-304b9c87bbf0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.65230.5854.27985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Downloading the file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/619a11da94a88037d2fc35a7/reports/cb4d0728-b3ef-4542-8d20-b2c25048e005/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/093ea201-dca4-4a63-91fd-8d47e3e257a5
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893240
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525713 Sample: qIe5qLBxNC Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 74 Sigma detected: Powershell download and execute file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected BitCoin Miner 2->78 80 2 other signatures 2->80 14 qIe5qLBxNC.exe 2->14         started        17 ghubsd.exe 2->17         started        process3 signatures4 112 Adds a directory exclusion to Windows Defender 14->112 19 cmd.exe 1 14->19         started        114 Multi AV Scanner detection for dropped file 17->114 116 Writes to foreign memory regions 17->116 118 Allocates memory in foreign processes 17->118 120 Creates a thread in another existing process (thread injection) 17->120 22 conhost.exe 17->22         started        process5 signatures6 82 Suspicious powershell command line found 19->82 84 Tries to download and execute files (via powershell) 19->84 86 Adds a directory exclusion to Windows Defender 19->86 24 powershell.exe 19->24         started        26 powershell.exe 21 19->26         started        29 powershell.exe 15 17 19->29         started        33 2 other processes 19->33 process7 dnsIp8 35 ujksle.exe 24->35         started        102 Powershell drops PE file 26->102 70 f0599695.xsph.ru 141.8.193.236, 49774, 80 SPRINTHOSTRU Russian Federation 29->70 72 192.168.2.1 unknown unknown 29->72 68 C:\Users\user\AppData\Local\Temp\ujksle.exe, PE32+ 29->68 dropped file9 signatures10 process11 signatures12 88 Multi AV Scanner detection for dropped file 35->88 90 Writes to foreign memory regions 35->90 92 Allocates memory in foreign processes 35->92 94 Creates a thread in another existing process (thread injection) 35->94 38 conhost.exe 35->38         started        process13 file14 64 C:\Windows\System32\ghubsd.exe, PE32+ 38->64 dropped 41 cmd.exe 38->41         started        44 cmd.exe 38->44         started        process15 signatures16 98 Drops executables to the windows directory (C:\Windows) and starts them 41->98 46 ghubsd.exe 41->46         started        49 conhost.exe 41->49         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 44->100 51 conhost.exe 44->51         started        53 schtasks.exe 44->53         started        process17 signatures18 122 Writes to foreign memory regions 46->122 124 Allocates memory in foreign processes 46->124 126 Creates a thread in another existing process (thread injection) 46->126 55 conhost.exe 46->55         started        process19 file20 66 C:\Windows\System32\...\sihost32.exe, PE32+ 55->66 dropped 96 Drops executables to the windows directory (C:\Windows) and starts them 55->96 59 sihost32.exe 55->59         started        signatures21 process22 signatures23 104 Multi AV Scanner detection for dropped file 59->104 106 Writes to foreign memory regions 59->106 108 Allocates memory in foreign processes 59->108 110 Creates a thread in another existing process (thread injection) 59->110 62 conhost.exe 59->62         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 16:04:16 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pvl7trtcnhfva735ezhs5fuex3zsogzklcllbn4mcukb5chobsa._file
Verdict:
malicious
Similar samples:
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
CoinMiner
1bbcacc061668b56fe66177b0f21d4ee17e6ebd91996eb9b84a90e665e0255f4
CoinMiner
3c773cb4ba60d06c2f376d8cb0540a9d4d602cf643f01dd68190011dfa7b9582
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
CoinMiner
625018f71917dcdba8a075cde21f2d4557f6d2607785d4fbcb2f5bcf23432e04
CoinMiner
9b0de4434ee36e29881a3667164eaf04158c0c1256f74331074117d96693c6d3
CoinMiner
d8ce2e5613b91a46eb15835e6d2aac47a715e2ab55a97163bdf2ed8ac350f7a1
CoinMiner
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner
+ 190 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211121-lg3e7adfhl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
xmrig
Malware Config
Dropper Extraction:
http://f0599695.xsph.ru/aboba.exe
Unpacked files
SH256 hash:
e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064
MD5 hash:
22b0c2e5f6cd1849b1539d2d19023093
SHA1 hash:
79b7879f3c1319b9d5c4a3208a2b919a3d8535ea
Link:
https://www.unpac.me/results/d3240853-f819-42af-ab4e-c174bb796523/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e3eabfce33134e5a83fbe9327974b425f79938d952c4b585bc60a8a0f4477064

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1803024/
Cape
Cape
https://www.capesandbox.com/analysis/207853/

Comments


Avatar
zbet commented on 2021-11-21 09:30:34 UTC

url : hxxp://f0599695.xsph.ru/112.exe