MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117
SHA3-384 hash: ff3ec9ce9edb4b1e873adfd5b228beb62194b0271cd874c1cfd172e40e027e996bb94071ca0ab780e587c4c526214c9d
SHA1 hash: 2884f11fb4867e10f3375912378875be85f6b4b8
MD5 hash: a60b0c719a615286dcb910a29ed416c1
humanhash: freddie-eighteen-apart-grey
File name:a60b0c719a615286dcb910a29ed416c1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'266'048 bytes
First seen:2022-01-07 21:31:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 45c3eee06bcd5ef7518bc946e1677c4e (8 x CoinMiner)
ssdeep 49152:LMLRQNhltlCNg3hk/PfL5D7HdJzla9Y572rzM/bjFgnQx4HksNEH9Ys6lYcy4:IlQTlcxPx7nZiYR2cTpvEk8+9kYZ
Threatray 166 similar samples on MalwareBazaar
TLSH T112E53307BE9FBFF8D856D4B3E63961319A4318401DF65CB85318432D64D36338A4AEEA
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117
Verdict:
Malicious activity
Analysis date:
2022-01-07 03:36:58 UTC
Tags:
loader
Link:
https://app.any.run/tasks/319a3916-c366-4198-9afb-de2aa99e7895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217764/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.29206.11856.6331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d8b1571c0d769df9d6a202/reports/b657d417-2486-4f11-a55b-df311f374047/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0b4a339-7b09-41ca-b06e-3b28bbbec87d
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917035
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549513 Sample: 3opah7TcIl Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 4 other signatures 2->71 10 3opah7TcIl.exe 1 2 2->10         started        15 RegHost.exe 1 2->15         started        process3 dnsIp4 61 185.137.234.33, 49742, 8080 SELECTELRU Russian Federation 10->61 57 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 10->57 dropped 77 Detected unpacking (changes PE section rights) 10->77 79 Detected unpacking (overwrites its own PE header) 10->79 81 Injects code into the Windows Explorer (explorer.exe) 10->81 89 5 other signatures 10->89 17 explorer.exe 1 10->17         started        19 bfsvc.exe 1 10->19         started        22 curl.exe 1 10->22         started        25 conhost.exe 10->25         started        83 Antivirus detection for dropped file 15->83 85 Multi AV Scanner detection for dropped file 15->85 87 Machine Learning detection for dropped file 15->87 27 WerFault.exe 20 9 15->27         started        29 conhost.exe 15->29         started        file5 signatures6 process7 dnsIp8 31 RegHost.exe 1 17->31         started        73 Hides threads from debuggers 19->73 34 conhost.exe 19->34         started        59 api.telegram.org 149.154.167.220, 443, 49744 TELEGRAMRU United Kingdom 22->59 36 conhost.exe 22->36         started        signatures9 process10 signatures11 91 Injects code into the Windows Explorer (explorer.exe) 31->91 93 Writes to foreign memory regions 31->93 95 Allocates memory in foreign processes 31->95 97 3 other signatures 31->97 38 bfsvc.exe 1 31->38         started        42 explorer.exe 1 31->42         started        44 conhost.exe 31->44         started        process12 file13 55 \Device\ConDrv, ASCII 38->55 dropped 75 Hides threads from debuggers 38->75 46 conhost.exe 38->46         started        48 RegHost.exe 1 42->48         started        signatures14 process15 signatures16 63 Hides threads from debuggers 48->63 51 WerFault.exe 9 48->51         started        53 conhost.exe 48->53         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117/
Threat name:
Win64.Trojan.Enigma
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 19:15:00 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961
CoinMiner
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
CoinMiner
0bb2a624381f00f9b81dea228893195798d1de203c0289637b140bdfeb9fc85a
CoinMiner
3980a26f3644a2e8749461e88bfa44849557613bdd9b27656a5cec2cd5122527
CoinMiner
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
CoinMiner
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
CoinMiner
f95825c13bfccaa3bffe49f65d584cd015ce109b265df7bc75ace85c72ce7435
CoinMiner
+ 156 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/220107-1dmb5acfe9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117
MD5 hash:
a60b0c719a615286dcb910a29ed416c1
SHA1 hash:
2884f11fb4867e10f3375912378875be85f6b4b8
Link:
https://www.unpac.me/results/8b3c6904-7a74-4510-a4b7-d401fd68a8e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ec628c1f3505f795840ae7108cd9a4b418be9aff9ae412a938e77a50a5011117

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1956218/
Cape
Cape
https://www.capesandbox.com/analysis/217764/

Comments


Avatar
zbet commented on 2022-01-07 21:31:59 UTC

url : hxxp://62.182.159.91/fhRy3Qs.exe