MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2
SHA3-384 hash: 142beebf7a4e9006d3a13a93d163a69fc3b03115594628ab8f6b00851a253fbb52e69ecf73083cda0bea1a50c88f2042
SHA1 hash: 903bbb65750a168afabc5aaae927a94d82f4cc2e
MD5 hash: a735e35541195d47f7eb2593cdaacdd6
humanhash: muppet-blue-equal-seventeen
File name:a735e35541195d47f7eb2593cdaacdd6
Download: download sample
Signature CoinMiner
Create hunting rule
File size:971'497 bytes
First seen:2024-06-14 10:21:36 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:GMD+bHw+D/uhZMhh9hwhxOpKkfhNiviGpQmsNsFGsDqn1yrhQjW7Kju1Z:GMD+bHwWuhZMhh9hwhxOskJNGixms+s+
TLSH T131259D4EF59390B6C4B78575028BEBBF4920EA3A80578DCBAE8DDD387827DD0160E751
telfhash t1e0510156683c12c9d9a26c048cb12fd3548be2393395ea09fb6bcec118ce959f578c0f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 CoinMiner elf intel

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Unix.Tool.Rudedevil-10016695-0
Create hunting rule

Unix.Malware.Rudedevil-10025494-0
Create hunting rule

PUA.Unix.File.Miner-9810060-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the %temp% directory
Collects information on the network activity
Opens a port
Receives data from a server
Collects information on the CPU
Runs as daemon
Sends data to a server
Manages services
Connection attempt
DNS request
Launching a process
Creates or modifies files in /cron to set up autorun
Creates or modifies files in /init.d to set up autorun
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc lolbin remote
Link:
https://www.filescan.io/uploads/666c19cd910ce98966f9a083/reports/e725e91d-8a7f-4081-b7be-c3b72f421a7b/overview
Result
Verdict:
MALICIOUS
Malware family:
BlackTech
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/523d887e-4cd6-4f70-8936-28f3b33af1d2
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457196
Signature
Antivirus detection for dropped file
Contains symbols with names commonly found in malware
Found strings related to Crypto-Mining
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Uses known network protocols on non-standard ports
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457196 Sample: 79XbLimLpY.elf Startdate: 14/06/2024 Architecture: LINUX Score: 100 83 nishabii.xyz 2->83 85 nishabii.xyz 218.244.58.70, 58436, 7895 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN China 2->85 87 4 other IPs or domains 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 Multi AV Scanner detection for submitted file 2->93 97 4 other signatures 2->97 11 79XbLimLpY.elf 2->11         started        signatures3 95 Performs DNS queries to domains with low reputation 83->95 process4 signatures5 99 Found strings related to Crypto-Mining 11->99 14 79XbLimLpY.elf 11->14         started        process6 file7 79 /tmp/0xyabc, ELF 14->79 dropped 81 /etc/crontab, ASCII 14->81 dropped 107 Sample tries to persist itself using cron 14->107 18 79XbLimLpY.elf sh 14->18         started        20 79XbLimLpY.elf sh 14->20         started        22 79XbLimLpY.elf sh 14->22         started        24 3 other processes 14->24 signatures8 process9 process10 26 sh 0xyabc 18->26         started        30 sh chmod 18->30         started        32 sh service systemctl 20->32         started        34 sh cat 22->34         started        36 sh grep 22->36         started        38 sh sed 22->38         started        40 sh cat 24->40         started        42 sh grep 24->42         started        44 sh sed 24->44         started        file11 77 /tmp/0xyabc.txt, ASCII 26->77 dropped 101 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 26->101 103 Sample reads /proc/mounts (often used for finding a writable filesystem) 26->103 46 0xyabc sh 26->46         started        48 0xyabc sh 26->48         started        50 0xyabc sh 26->50         started        60 2 other processes 26->60 52 service 32->52         started        54 service basename 32->54         started        56 service basename 32->56         started        58 service systemctl 32->58         started        signatures12 process13 process14 62 sh modprobe 46->62         started        65 sh modprobe 48->65         started        67 sh modprobe 50->67         started        69 service systemctl 52->69         started        71 service sed 52->71         started        73 sh modprobe 60->73         started        75 sh modprobe 60->75         started        signatures15 105 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 62->105
Score:
97%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2/
Threat name:
Linux.Trojan.RudeDevil
Create hunting rule
Status:
Malicious
First seen:
2024-06-14 10:22:09 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zx6pa64twa3be6aisbvfq2tjyagjyrltpmmuzbg3zt6ypmgxgza._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
linux
Link:
https://tria.ge/reports/240614-md8ngazfln/
Behaviour
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Xorddos_a6572d63
Create hunting rule
Author:Elastic Security
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf ee6fe783dc9d81b093c0448352c3534e0064e22b9bd8ca6426de67ec3d86b9b2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888094/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments


Avatar
zbet commented on 2024-06-14 10:21:37 UTC

url : hxxp://61.160.213.14:48596/sgfc68