MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
SHA3-384 hash: f8d66e1eed60e77cf29e279d8ad4fc3a83d698ab970423adb3409d74d0b27d55d2b428f5e2696e610d9df357bd9099dd
SHA1 hash: bb9353d602a82ff174afe7574f4afd6009e2a8b0
MD5 hash: feb8add569247306cb0271c907607238
humanhash: hot-arizona-mike-north
File name:feb8add569247306cb0271c907607238
Download: download sample
Signature CoinMiner
Create hunting rule
File size:356'864 bytes
First seen:2022-01-14 12:43:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:P5aWbksiNTBQlCuchwPuVbIn97yYUdL6TVrp/LbU7LY6TzeWJwN:P5atNTqlCl84wJyYUpUrLbU9SWJwN
Threatray 16 similar samples on MalwareBazaar
TLSH T15E740241B3E162F3D6F244320295B43FE73452388B14A9D7CB8C2D92A552ED6A77D3E8
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
feb8add569247306cb0271c907607238
Verdict:
Malicious activity
Analysis date:
2022-01-14 12:46:00 UTC
Tags:
evasion trojan loader rat redline
Link:
https://app.any.run/tasks/6b4cd4ff-9d2d-4d01-abe9-e4080d59c173

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219311/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Searching for analyzing tools
Searching for the window
Forced system process termination
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4187/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e17019e997359713ec477a/reports/16e16615-6e96-4b1d-b21c-8a5afdaf8960/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Taily
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48e991fd-e8e9-4ce7-8099-1f6b70e04e0f
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920740
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential malicious VBS script found (suspicious strings)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses BatToExe to download additional code
Writes to foreign memory regions
Yara detected BatToExe compiled binary
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553214 Sample: 8vprKeDXuJ Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 76 pool.supportxmr.com 2->76 78 pool-fr.supportxmr.com 2->78 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Sigma detected: Xmrig 2->94 96 Found malware configuration 2->96 98 15 other signatures 2->98 9 8vprKeDXuJ.exe 10 2->9         started        13 setup_m.exe 2->13         started        15 setup_m.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 70 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\10D8.bat, ASCII 9->72 dropped 138 Potential malicious VBS script found (suspicious strings) 9->138 20 cmd.exe 3 6 9->20         started        24 conhost.exe 9->24         started        140 Detected unpacking (changes PE section rights) 13->140 142 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->142 144 Tries to evade analysis by execution special instruction which cause usermode exception 13->144 146 Hides threads from debuggers 15->146 26 Driver.exe 15->26         started        28 Driver.exe 15->28         started        74 127.0.0.1 unknown unknown 17->74 148 Changes security center settings (notifications, updates, antivirus, firewall) 17->148 31 MpCmdRun.exe 17->31         started        33 WerFault.exe 17->33         started        file6 signatures7 process8 dnsIp9 58 C:\Users\user\AppData\Local\Temp\...\360t.vbs, ASCII 20->58 dropped 118 Potential malicious VBS script found (suspicious strings) 20->118 120 Command shell drops VBS files 20->120 122 Uses BatToExe to download additional code 20->122 35 setup_c.exe 20->35         started        38 setup_m.exe 1 3 20->38         started        41 wscript.exe 20->41         started        52 4 other processes 20->52 124 Multi AV Scanner detection for dropped file 26->124 126 Detected unpacking (changes PE section rights) 26->126 44 conhost.exe 26->44         started        46 WerFault.exe 26->46         started        86 94.23.23.52, 3333, 49777 OVHFR France 28->86 88 pool.supportxmr.com 28->88 90 pool-fr.supportxmr.com 28->90 48 conhost.exe 28->48         started        50 conhost.exe 31->50         started        file10 128 Detected Stratum mining protocol 86->128 signatures11 process12 dnsIp13 100 Multi AV Scanner detection for dropped file 35->100 102 Machine Learning detection for dropped file 35->102 104 Contains functionality to inject code into remote processes 35->104 116 4 other signatures 35->116 54 RegSvcs.exe 5 35->54         started        60 C:\Users\user\AppData\...\setup_m.exe (copy), MS-DOS 38->60 dropped 62 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 38->62 dropped 64 C:\Users\user\AppData\Roaming\...\Driver.url, MS 38->64 dropped 106 Detected unpacking (changes PE section rights) 38->106 108 Tries to evade analysis by execution special instruction which cause usermode exception 38->108 110 Hides threads from debuggers 38->110 82 iplogger.org 148.251.234.83, 443, 49756 HETZNER-ASDE Germany 41->82 112 System process connects to network (likely due to code injection or exploit) 41->112 114 May check the online IP address of the machine 41->114 84 81.163.30.181, 49755, 49757, 80 IR-RASANAPISHTAZIR Russian Federation 52->84 66 C:\Users\user\AppData\Local\...\setup_c.exe, PE32 52->66 dropped 68 C:\Users\user\AppData\Local\...\setup_m.exe, MS-DOS 52->68 dropped file14 signatures15 process16 dnsIp17 80 65.108.77.212, 40094, 49767 ALABANZA-BALTUS United States 54->80 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->132 134 Tries to harvest and steal browser information (history, passwords, etc) 54->134 136 Tries to steal Crypto Currency Wallets 54->136 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 12:44:14 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=45mho5vn5t4ftyjx46xt3jfzw36zikhg7comjdj2moeg2silvlfa._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
27e2593d29c04065445c5462b5af5f77d555dc00318afa0cf7c68e70bbaca739
CoinMiner
3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a
CoinMiner
39c531db99d46a4b3906a41e6e1afdb2523106c795b11eecaf75bc3a1fbff57b
CoinMiner
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
CoinMiner
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
CoinMiner
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
CoinMiner
9b6c23ee51101f9e2542bb697e7b218e0a57d51ac6b577998cba351581aa7491
CoinMiner
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
CoinMiner
e58ea2af775f4ae34d100e668d39e11e439579bfe1cd5e0031ebaf65d59c1aa1
CoinMiner
+ 6 additional samples on MalwareBazaar
Result
Malware family:
loaderbot
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot loader miner persistence upx
Link:
https://tria.ge/reports/220114-pyhnwsgbh5/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
LoaderBot executable
LoaderBot
Unpacked files
SH256 hash:
533c9262e521499d9f0486b0867a56ae44ef807acfe708de1dc13f1946f4eb47
MD5 hash:
206402dbaf7d10b6ac976b3490fda226
SHA1 hash:
9cab7e14d05ada34a476008d7b08aa9c0889d063
Link:
https://www.unpac.me/results/d3c31713-886d-4acf-ac98-6f162f021f8a/
SH256 hash:
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
MD5 hash:
feb8add569247306cb0271c907607238
SHA1 hash:
bb9353d602a82ff174afe7574f4afd6009e2a8b0
Link:
https://www.unpac.me/results/d3c31713-886d-4acf-ac98-6f162f021f8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_CoinMiner04
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1976535/
Cape
Cape
https://www.capesandbox.com/analysis/219311/

Comments


Avatar
zbet commented on 2022-01-14 12:43:39 UTC

url : hxxp://81.163.30.181/6236.exe