MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb
SHA3-384 hash: 8bc99908a6556a28d0ab666ec79e4ba809a807ed9f1ee3a81eb4c00f84c2621a876f09d147d7b94779bbf497463f13aa
SHA1 hash: 707468564098c081940833080f3ff8f06b3f262b
MD5 hash: ff9e2a9b40cf3ce62b13277726c45164
humanhash: double-aspen-maine-johnny
File name:ff9e2a9b40cf3ce62b13277726c45164
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:186'368 bytes
First seen:2022-05-20 11:51:59 UTC
Last seen:2022-05-20 12:48:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:iTQfIgIbTJuz17cyL0er0Bzm/GIR6ES0JXtZhVm13j2tSHPWcSaYnV:IQsButH0JM7SYV
Threatray 1'411 similar samples on MalwareBazaar
TLSH T1AF049953EBBAEF70CA24493FC685B3645F2E6EC181F2BD4D300DB6642DBAE01C544696
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter zbetcheckin
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ff9e2a9b40cf3ce62b13277726c45164
Verdict:
No threats detected
Analysis date:
2022-05-20 11:56:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b125b898-5ea8-4dbb-a750-5ff2ee094ea2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272982/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.60516.25855.18168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated
Link:
https://www.filescan.io/uploads/6287811f206e08161834c2fa/reports/b6590878-4139-4a73-9c31-76ac09c9c294/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8855b6a4-799c-44c6-92df-9be1650a2c69
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998526
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb/
Threat name:
Win64.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 08:31:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pz7vitmxhagr36kc5prggvy2bijezeghpomrdv7vwoyjjcujpnq._file
Verdict:
malicious
Similar samples:
12debb5b625d08f6bc4dd6160435cfde52a33c11dccd4b10fa07c225aba9565b
CoinMiner.XMRig
191e0b6b997739d71b92939ca736a43be3e742aa1b8baf025b5f9114f1f3e7ae
CoinMiner.XMRig
203bfe6c0c5879e5951719fa76fdd9de0343e2652b58141660651d84790310ed
CoinMiner.XMRig
64432a60f19aa2b6365f98fd236200b873770c59e66bf3f25d21c4974f565a65
CoinMiner.XMRig
a342e8f2472ac316cab1017fc24f46d8206390f90448b91d62b9225aa3d2e229
CoinMiner.XMRig
b64081fc4a7dc5e73ab017b1f0453c27d5e6040134dd269bc01de45cad3713b7
CoinMiner.XMRig
+ 1'401 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220520-n1qa3sebcj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb
MD5 hash:
ff9e2a9b40cf3ce62b13277726c45164
SHA1 hash:
707468564098c081940833080f3ff8f06b3f262b
Link:
https://www.unpac.me/results/787b1aaf-7670-4fb3-bf48-ee4ee8e3bdab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3f3faa26cb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe e3f3faa26cb9c068efca175f131ab8d0509264863bdcc88ebfad9d84a4544bdb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2136815/
  
URLhaus
https://urlhaus.abuse.ch/url/2203952/
Cape
Cape
https://www.capesandbox.com/analysis/272982/

Comments


Avatar
zbet commented on 2022-05-20 11:52:06 UTC

url : hxxp://198.251.84.34/checkit2.exe