MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8
SHA3-384 hash: 2351a76946d6346694bc76c98cbbfa09db242ae7f5446a0213d91bfd70e0170f4ca2b32be528e3d4dd1c1d000977839c
SHA1 hash: 6e199a9e7d35ecd6ca085f43c441cfb2028bddf3
MD5 hash: 5342dce42b8256f33b5387ae829c0231
humanhash: charlie-zebra-snake-fix
File name:SecuriteInfo.com.Win32.TrojanX-gen.9663.10822
Download: download sample
Signature CoinMiner
Create hunting rule
File size:895'840 bytes
First seen:2024-05-28 08:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:YN6pVBI4cID2VCrRCgueFrns93FK5HEe95lO:ZFcs2MgguQrns65b58
TLSH T1131507947BA48900D69474FAD57A6A0183A22CF51943634F37BAB2321C319DFDE1E2DF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 090d141563496d3f (19 x RedLineStealer, 2 x RaccoonStealer, 2 x CoinMiner)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://195.10.205.162/
Verdict:
No threats detected
Analysis date:
2024-05-27 20:17:17 UTC
Tags:
loader
Link:
https://app.any.run/tasks/a9f6b646-1b3a-4f1a-a5bc-01dc3055d6ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665594fa3d0e5a324e76536bwin7simulatehigh_evasion
Tags:
Encryption Static Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fa093f6-c232-4d24-ac53-9a4f73c3d605
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.troj.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448442
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allows loading of unsigned dll using appinit_dll
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Xmrig
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448442 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 28/05/2024 Architecture: WINDOWS Score: 100 61 webarhiv23dasda.hopto.org 2->61 63 pristolmag32dds.hopto.org 2->63 65 7 other IPs or domains 2->65 73 Snort IDS alert for network traffic 2->73 75 Sigma detected: Xmrig 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 16 other signatures 2->79 8 xdwdDRkernel.exe 2->8         started        13 SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exe 1 5 2->13         started        15 xdwdDRkernel.exe 2 2 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 69 icanhazip.com 104.16.184.241, 50470, 80 CLOUDFLARENETUS United States 8->69 57 C:\Users\user\WinRing0x64.sys, PE32+ 8->57 dropped 93 Hijacks the control flow in another process 8->93 95 Tries to steal Mail credentials (via file / registry access) 8->95 97 Found many strings related to Crypto-Wallets (likely being stolen) 8->97 115 8 other signatures 8->115 19 svchost.exe 8->19         started        22 svchost.exe 8->22         started        24 cmd.exe 8->24         started        34 6 other processes 8->34 59 C:\Windows\System32\xdwdDRkernel.exe, PE32 13->59 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->99 101 Creates an undocumented autostart registry key 13->101 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->103 117 4 other signatures 13->117 26 cmd.exe 1 13->26         started        28 cmd.exe 1 13->28         started        37 2 other processes 13->37 71 fdute32sdajfsda.hopto.org 195.10.205.162, 2683, 2686, 3333 TSSCOM-ASRU Russian Federation 15->71 105 Antivirus detection for dropped file 15->105 107 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->107 109 Drops PE files to the user root directory 15->109 30 WerFault.exe 15->30         started        111 Queries memory information (via WMI often done to detect virtual machines) 17->111 32 WerFault.exe 2 17->32         started        file6 113 Detected Stratum mining protocol 71->113 signatures7 process8 dnsIp9 81 Query firmware table information (likely to detect VMs) 19->81 83 Found strings related to Crypto-Mining 19->83 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->85 39 conhost.exe 24->39         started        41 chcp.com 24->41         started        43 netsh.exe 24->43         started        45 findstr.exe 24->45         started        87 Uses schtasks.exe or at.exe to add and modify task schedules 26->87 89 Uses netsh to modify the Windows network and firewall settings 26->89 91 Tries to harvest and steal WLAN passwords 26->91 47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        51 schtasks.exe 1 28->51         started        67 asia-etc.2miners.com 15.235.212.91, 1010, 50474 HP-INTERNET-ASUS United States 34->67 53 conhost.exe 37->53         started        55 schtasks.exe 1 37->55         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-05-05 16:11:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ajkmeonwkmy42emvc5svedg2wcjdw4y5unfaowuft5nlkpudlma._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/240528-kbabsace4v/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ba7c89e-f576-46d5-8f89-f4eb69f3289c
Unpacked files
SH256 hash:
e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8
MD5 hash:
5342dce42b8256f33b5387ae829c0231
SHA1 hash:
6e199a9e7d35ecd6ca085f43c441cfb2028bddf3
Link:
https://www.unpac.me/results/e9c09cca-3263-4183-993e-3c6dd71c9400/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e812a611cdb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2866317/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments