MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments 1

SHA256 hash:	e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0
SHA3-384 hash:	3d9519fde0e947da51c7317d07d6928829b00bdd29cbbc3839137c618fd5cd35c55d2350d7f7018089232d5be76fcbc4
SHA1 hash:	b7923f384a29c76ef6c9da75f1e06d596fd25c5b
MD5 hash:	ee5f333fec231a3858e25a6db292c579
humanhash:	hamper-golf-item-oscar
File name:	ee5f333fec231a3858e25a6db292c579
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	643'584 bytes
First seen:	2023-12-02 05:14:48 UTC
Last seen:	2023-12-02 07:16:49 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:3zLBNuq/F774abML8fehTZXIOGznZ4FAxv/mY/0nCuz8o:3zLn3t7nbYyAC5znZKAxWYcnCuz
Threatray	353 similar samples on MalwareBazaar
TLSH	T161D423DE03901CADE535057886E4171E05B322EF2AAA13772589238BDFCB7859CFBD16
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	zbetcheckin
Tags:	64 CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ee5f333fec231a3858e25a6db292c579

Verdict:

Malicious activity

Analysis date:

2023-12-02 05:16:18 UTC

Tags:

zgrat pureloader loader

Link:

https://app.any.run/tasks/9691a338-a168-4bd7-ba62-a5ff9bc3929d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/461844/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2147.5351.16530.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file

Creating a process from a recently created file

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Unauthorized injection to a system process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/28e54516-1650-43b2-87d8-2207493e43da

Result

Threat name:

Xmrig, zgRAT

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351909

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Detected Stratum mining protocol

Encrypted powershell cmdline option found

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Xmrig

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected PersistenceViaHiddenTask

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0/

Threat name:

ByteCode-MSIL.Trojan.Bsymem

Status:

Malicious

First seen:

2023-11-28 05:13:52 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5d6c4rj6phhk5xtzehrzw4bs5fjfh7lo3a4l7jmss3nx774lrtya._file

Verdict:

malicious

CoinMiner

5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505

CoinMiner

81b156ce5e3c46a2c484bb746dbb3e99265e26f94c64df933f4f27c6548ebe62

CoinMiner

ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8

CoinMiner

e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71

CoinMiner

f7aaa33843aaca2505b51dc4527be10bb9c3635394e5cfae9ad0910602cfbdc2

CoinMiner

+ 343 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat rat

Link:

https://tria.ge/reports/231202-fxkbnaaa5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in System32 directory

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0

MD5 hash:

ee5f333fec231a3858e25a6db292c579

SHA1 hash:

b7923f384a29c76ef6c9da75f1e06d596fd25c5b

Link:

https://www.unpac.me/results/e1358427-8074-4753-b488-330185c3dfa1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8fc2e453e79/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe e8fc2e453e79ceaede7921e39b7032e95253fd6ed838bfa59296db7fff8b8cf0

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/461844/

URLhaus

https://urlhaus.abuse.ch/url/2736625/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-02 05:14:49 UTC

url : hxxp://163.123.142.171:8080/file/1701008833-Ywnbevy.exe