MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87
SHA3-384 hash: 7d52f3c6177aa8622c5c9b436b58cda32885cf46769c0a1760477573ead71d861b651221dba41df802e12df55088e631
SHA1 hash: 712107d0c7a5dc402faf39a400bf5fecc47c4207
MD5 hash: 407ed85162ab2fe1e6c41ddbbea57d79
humanhash: kansas-april-india-cold
File name:407ed85162ab2fe1e6c41ddbbea57d79
Download: download sample
Signature CoinMiner
Create hunting rule
File size:104'960 bytes
First seen:2022-01-04 19:45:11 UTC
Last seen:2022-01-04 21:51:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d205994ab00cad56970df96ba924f07 (1 x CoinMiner)
ssdeep 1536:eplECtcIJOc5IEehv47Y8Pcnx38uI1QoF9spBj172RFc2QisN8v/zHopr8wns037:UECtDvIEeRSX1Qy9sgRq2QiqK/p2
Threatray 141 similar samples on MalwareBazaar
TLSH T182A312C53B6FB88BC2473736AF0BA70441E1728BD24A5628FD410A7CD2117971726FAB
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
407ed85162ab2fe1e6c41ddbbea57d79
Verdict:
Malicious activity
Analysis date:
2022-01-04 19:49:31 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/aa1809e2-709e-4af1-bc0b-4ae7680848e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217314/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.24747.14012.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/61d4a3fc92bdc4b4077ea09a/reports/ed6e75dc-f66a-41fb-8546-61f10932a604/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d4f8b347-8a0f-4471-8f06-dbc79dea3693
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner Xmr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915457
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547935 Sample: fmZ9MDCVlg Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 119 pool.hashvault.pro 2->119 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Sigma detected: Xmrig 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 12 other signatures 2->137 13 fmZ9MDCVlg.exe 1 21 2->13         started        18 services64.exe 2->18         started        20 cmd.exe 2->20         started        signatures3 process4 dnsIp5 129 45.156.26.68, 49728, 49737, 80 CLOUDBACKBONERU Russian Federation 13->129 111 C:\Users\user\AppData\Local\Temp\41.exe, PE32 13->111 dropped 113 C:\Users\user\AppData\Local\Temp\35.exe, PE32+ 13->113 dropped 115 C:\Users\user\AppData\Local\Temp\25.exe, PE32+ 13->115 dropped 117 5 other files (3 malicious) 13->117 dropped 197 Detected unpacking (changes PE section rights) 13->197 199 Contains functionality to detect virtual machines (IN, VMware) 13->199 201 Contain functionality to detect virtual machines 13->201 22 25.exe 13->22         started        25 35.exe 13->25         started        27 41.exe 13->27         started        29 15.exe 13->29         started        203 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->203 205 Writes to foreign memory regions 18->205 207 Allocates memory in foreign processes 18->207 209 2 other signatures 18->209 31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 taskkill.exe 20->35         started        file6 signatures7 process8 signatures9 159 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->159 161 Writes to foreign memory regions 22->161 163 Allocates memory in foreign processes 22->163 37 conhost.exe 22->37         started        165 Tries to evade analysis by execution special instruction which cause usermode exception 25->165 167 Tries to detect virtualization through RDTSC time measurements 25->167 169 Creates a thread in another existing process (thread injection) 25->169 41 conhost.exe 25->41         started        171 Query firmware table information (likely to detect VMs) 27->171 173 Machine Learning detection for dropped file 27->173 175 Injects a PE file into a foreign processes 27->175 43 AppLaunch.exe 15 5 27->43         started        46 WerFault.exe 27->46         started        177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->177 48 AppLaunch.exe 2 29->48         started        50 WerFault.exe 29->50         started        52 cmd.exe 31->52         started        process10 dnsIp11 107 C:\Users\user\AppData\...\services64.exe, PE32+ 37->107 dropped 179 Drops PE files to the user root directory 37->179 54 cmd.exe 37->54         started        56 cmd.exe 37->56         started        109 C:\Users\userbehaviorgraphoogleUpdate.exe, PE32+ 41->109 dropped 59 cmd.exe 41->59         started        61 cmd.exe 41->61         started        121 5.206.227.246 DOTSIPT Portugal 43->121 123 192.168.2.1 unknown unknown 43->123 125 api.ip.sb 43->125 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->183 185 Tries to steal Crypto Currency Wallets 43->185 127 95.143.177.66 RHTEC-ASrh-tecIPBackboneDE Russian Federation 48->127 187 Tries to harvest and steal browser information (history, passwords, etc) 48->187 63 conhost.exe 52->63         started        65 taskkill.exe 52->65         started        file12 signatures13 process14 signatures15 67 services64.exe 54->67         started        70 conhost.exe 54->70         started        189 Uses schtasks.exe or at.exe to add and modify task schedules 56->189 72 conhost.exe 56->72         started        74 schtasks.exe 56->74         started        76 GoogleUpdate.exe 59->76         started        78 conhost.exe 59->78         started        80 conhost.exe 61->80         started        82 schtasks.exe 61->82         started        process16 signatures17 139 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 67->139 141 Writes to foreign memory regions 67->141 143 Allocates memory in foreign processes 67->143 84 conhost.exe 67->84         started        145 Tries to evade analysis by execution special instruction which cause usermode exception 76->145 147 Tries to detect virtualization through RDTSC time measurements 76->147 149 Creates a thread in another existing process (thread injection) 76->149 88 conhost.exe 76->88         started        process18 file19 101 C:\Users\user\AppData\...\sihost64.exe, PE32+ 84->101 dropped 103 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 84->103 dropped 151 Injects code into the Windows Explorer (explorer.exe) 84->151 153 Writes to foreign memory regions 84->153 155 Modifies the context of a thread in another process (thread injection) 84->155 157 2 other signatures 84->157 90 sihost64.exe 84->90         started        93 explorer.exe 84->93         started        105 C:\Users\user\AppData\...\sihost32.exe, PE32+ 88->105 dropped 95 sihost32.exe 88->95         started        signatures20 process21 signatures22 191 Writes to foreign memory regions 90->191 193 Allocates memory in foreign processes 90->193 195 Creates a thread in another existing process (thread injection) 90->195 97 conhost.exe 90->97         started        99 conhost.exe 95->99         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 18:36:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14bf8d4e3f7154cdc0f6cc99b1ac2f6504cdbcb72d8e5a86d175bdf12eb84e3f
CoinMiner
213fce24e326925749adebaff2d85e23bba2b616c872e2089b23fa231f18756e
CoinMiner
22b1bd5ff8d474bb70ad086e75dbba870aaeb52599d436b84ba35e9e612078b4
CoinMiner
9afaff96a502524fb2284ca961c5aa89533e9cd4c397a672d57331099803ebc6
CoinMiner
a70760071dea52443d726965f9feef8a66848b6c6288e9354f8ca1e0e898f624
CoinMiner
cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de
CoinMiner
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
CoinMiner
+ 131 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence spyware suricata trojan
Link:
https://tria.ge/reports/220104-ygys8ahgep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Unpacked files
SH256 hash:
ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87
MD5 hash:
407ed85162ab2fe1e6c41ddbbea57d79
SHA1 hash:
712107d0c7a5dc402faf39a400bf5fecc47c4207
Link:
https://www.unpac.me/results/cd7b6317-96d1-4fd5-9af7-324db338b9eb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ed1236679781/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1949315/
Cape
Cape
https://www.capesandbox.com/analysis/217314/

Comments


Avatar
zbet commented on 2022-01-04 19:45:13 UTC

url : hxxp://data-host-coin-8.com/files/1808_1641267875_1929.exe