MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63
SHA3-384 hash: 0fd9017db197a6da68ea915befaeb8e0f88465950bfe14ce434c6a98c05074182f94e6997a99a23a368fcb99517e6dd9
SHA1 hash: 2b3241b27596ca6922aa3ac727132b672b28a1a6
MD5 hash: a795da2f7485681d74b132fefd5186e6
humanhash: lima-jupiter-massachusetts-speaker
File name:e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63.bin
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:269'326 bytes
First seen:2020-11-03 07:53:45 UTC
Last seen:2020-11-03 10:00:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2477ba8c2dc064f789fcbd8415a238d8 (4 x FickerStealer, 1 x CoinMiner.XMRig)
ssdeep 6144:EH1Gwh8tYxRqJaXjSJOF9OL2RkWXRGKAM+:cGwoYAa1F9OIGKU
Threatray 37 similar samples on MalwareBazaar
TLSH BC442909FD429964C87ABA3129FFE239CA344E1C401B906BEFAF6F44EA3F3505D59146
Reporter JAMESWT_WT
Tags:CoinMiner.XMRig

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81988/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.36265.1042.26568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file
Searching for the window
Searching for many windows
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Phorpiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518948
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Yara detected Phorpiex
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308575 Sample: 9v7gUCpZOr.bin Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Antivirus detection for URL or domain 2->107 109 10 other signatures 2->109 10 9v7gUCpZOr.exe 20 2->10         started        15 svchost.exe 13 2->15         started        17 svchost.exe 13 2->17         started        19 8 other processes 2->19 process3 dnsIp4 75 worm.ws 217.8.117.10, 49704, 49706, 49732 CREXFEXPEX-RUSSIARU Russian Federation 10->75 77 tldrnet.top 10->77 87 3 other IPs or domains 10->87 61 C:\Users\user\AppData\Local\Temp\C79F.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\...\32[1].exe, PE32 10->63 dropped 131 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->131 21 C79F.exe 2 16 10->21         started        79 api.wipmania.com 15->79 81 api.wipmania.com 17->81 83 api.wipmania.com 19->83 85 trikhaus.top 127.0.0.1 unknown unknown 19->85 26 MpCmdRun.exe 19->26         started        file5 signatures6 process7 dnsIp8 73 api.wipmania.com 212.83.168.196, 49707, 49726, 49734 OnlineSASFR France 21->73 59 C:\154022146219395\svchost.exe, PE32 21->59 dropped 115 Antivirus detection for dropped file 21->115 117 Multi AV Scanner detection for dropped file 21->117 119 Machine Learning detection for dropped file 21->119 121 2 other signatures 21->121 28 svchost.exe 4 20 21->28         started        33 conhost.exe 26->33         started        file9 signatures10 process11 dnsIp12 95 okdoekeoehghaoeu.ws 64.70.19.203, 49750, 49752, 49753 CENTURYLINK-LEGACY-SAVVISUS United States 28->95 97 wduufbaueeubffgu.ws 28->97 99 19 other IPs or domains 28->99 65 C:\Users\user\AppData\...\3191811120.exe, data 28->65 dropped 67 C:\Users\user\AppData\...\2159535352.exe, data 28->67 dropped 133 Antivirus detection for dropped file 28->133 135 Multi AV Scanner detection for dropped file 28->135 137 Changes security center settings (notifications, updates, antivirus, firewall) 28->137 139 2 other signatures 28->139 35 3191811120.exe 15 28->35         started        40 2159535352.exe 17 28->40         started        file13 signatures14 process15 dnsIp16 69 api.wipmania.com 35->69 51 C:\215762276424193\svchost.exe, PE32 35->51 dropped 111 Drops PE files with benign system names 35->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->113 42 svchost.exe 35->42         started        71 worm.ws 40->71 53 C:\Users\user\AppData\Local\Temp\17670.exe, PE32 40->53 dropped 55 C:\Users\user\AppData\...\winsysdrv[1].exe, PE32 40->55 dropped 57 C:\Users\user\AppData\Local\Temp\30182.exe, PE32 40->57 dropped file17 signatures18 process19 dnsIp20 89 trik.ws 42->89 91 seuufhehfueugheu.ws 42->91 93 2 other IPs or domains 42->93 123 Antivirus detection for dropped file 42->123 125 System process connects to network (likely due to code injection or exploit) 42->125 127 Multi AV Scanner detection for dropped file 42->127 129 2 other signatures 42->129 46 2649112039.exe 42->46         started        49 1753035786.exe 42->49         started        signatures21 process22 dnsIp23 101 api.wipmania.com 46->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63/
Threat name:
Win32.Downloader.SmallAgent
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 05:43:35 UTC
File Type:
PE (Exe)
AV detection:
25 of 29 (86.21%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43qvm7n2ij75edhmp76zvaykd4ke3nrxqvvoovt5evzypmbbr5rq._file
Verdict:
suspicious
Similar samples:
3e1f7453aa2f3bc50b969bb46142a09ac3d68c01cec4fc3c0277fa124625d731
CoinMiner.XMRig
55cd6adf3daa4503e99105b38ea2449c36afbd4ccab3447444f0679bba845484
CoinMiner.XMRig
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
CoinMiner.XMRig
7d9779fbd1bf96300874dfb62e5756308807a2c16a83de2a3f2edab794215946
CoinMiner.XMRig
81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099
CoinMiner.XMRig
819ad92345f0b30fabc274b1606e99a89ed462d7910be500fb8f67149ccf7246
CoinMiner.XMRig
a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0
CoinMiner.XMRig
ad7df9c3f3da564ae38fda8bfa0324a52ed98899696e763dae3bff7dad93262b
CoinMiner.XMRig
c9b2ba6f4adb6aa4bb3c15e92d6b51eaaa5c1efa14ad774be125d4d47fae7fb4
CoinMiner.XMRig
efc9dc681fbad59d5fb6f1a66b433d6a7a7b7144444413d78f9d71dd184039ab
CoinMiner.XMRig
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/201103-hl88cs7eg2/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Windows security bypass
Unpacked files
SH256 hash:
e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63
MD5 hash:
a795da2f7485681d74b132fefd5186e6
SHA1 hash:
2b3241b27596ca6922aa3ac727132b672b28a1a6
Link:
https://www.unpac.me/results/73024741-b371-4c2c-81a0-4f911252c744/
SH256 hash:
783465949df5fd44fabb6082cbbb33b2051226b5b41fff2f2fc921a2c5d7318a
MD5 hash:
c18393a65eb2d1c1f9d873ae5eb126eb
SHA1 hash:
983497b3e9438e79a3427e53bb94fda647dfc182
Link:
https://www.unpac.me/results/73024741-b371-4c2c-81a0-4f911252c744/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/81988/

Comments