MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
SHA3-384 hash: ff6aca35b4883728268188a8c15d2baea3b1a31c50d55523aa65fa47a033ff406be7381833ef3681cfc610becff5c9fd
SHA1 hash: 7d5fb6b88051115b59f47dadb49ea8114cdf5c4b
MD5 hash: a295cf96ebabdfa1d30424e72ed6d4df
humanhash: ohio-don-lion-burger
File name:em_Kia5weA1_installer_Win7-Win11_x86_x64.msi
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:98'426'880 bytes
First seen:2024-06-22 15:43:23 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:ofSCYWHh+jXJ16YaOPnGJ52t8/MdYs3iR7cGY+v5mK//pHKH3LgjmWDCZT3V5cR+:kSC/B+7L68nGJ5GLdn3Mh/pHeUj7DCpt
TLSH T1E228330575768AF7E27A15360CBB962683797D370DA0486BAFF43B1D2C72AC3253B109
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter JaffaCakes118
Tags:CoinMiner.XMRig msi RedLineStealer signed

Code Signing Certificate

Organisation:Comodo Security Solutions, Inc.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2023-03-17T00:00:00Z
Valid to:2024-03-16T23:59:59Z
Serial number: c78d5f14d5479077f1a8ec4141a82136
Thumbprint Algorithm:SHA256
Thumbprint: 7951ade6e1e02255d402c3fea16337beb5c8300277ec81f9eaeebd70c7a43816
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6676f14a0591661c2a1fb3ebwin10vpnfull_triage
Tags:
Generic Network Other Stealth
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1461119
Signature
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461119 Sample: em_Kia5weA1_installer_Win7-... Startdate: 22/06/2024 Architecture: WINDOWS Score: 64 60 xmpp.itsm-us1.comodo.com 2->60 62 mdmsupport.cmdm.comodo.com 2->62 64 2 other IPs or domains 2->64 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->74 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 2->76 78 Contains functionality to register a low level keyboard hook 2->78 80 2 other signatures 2->80 11 msiexec.exe 114 133 2->11         started        14 ITSMService.exe 9 312 2->14         started        18 msiexec.exe 5 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 52 C:\Program Files (x86)\...\python_x86_Lib.exe, PE32 11->52 dropped 54 C:\Program Files (x86)\...\ITSMService.exe, PE32 11->54 dropped 56 C:\Program Files (x86)\...\ITSMAgent.exe, PE32 11->56 dropped 58 64 other files (none is malicious) 11->58 dropped 22 msiexec.exe 1 5 11->22         started        24 msiexec.exe 11->24         started        68 174.129.244.210, 443, 50221, 50222 AMAZON-AESUS United States 14->68 70 itstrq.itsm-us1.comodo.com 3.228.58.151, 443, 49743, 49746 AMAZON-AESUS United States 14->70 72 2 other IPs or domains 14->72 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->82 26 ITSMAgent.exe 14->26         started        29 ITSMAgent.exe 14->29         started        31 ITSMAgent.exe 14->31         started        file6 signatures7 process8 dnsIp9 33 cmd.exe 1 22->33         started        66 127.0.0.1 unknown unknown 26->66 process10 process11 35 python_x86_Lib.exe 1004 33->35         started        38 conhost.exe 33->38         started        file12 44 C:\Program Files (x86)\ITarian\...\zipfile.py, Python 35->44 dropped 46 C:\Program Files (x86)\...\xmlrpclib.py, Python 35->46 dropped 48 C:\Program Files (x86)\ITarian\...\xmllib.py, Python 35->48 dropped 50 427 other files (none is malicious) 35->50 dropped 40 cmd.exe 1 35->40         started        process13 process14 42 conhost.exe 40->42         started       
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ti3s4f4tzotdhcugk7j4oddwwrax4tokv6iz2tphfe56aasz4aq._file
Verdict:
unknown
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@dolphinloader_bot discovery infostealer persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/240622-s6gncasglf/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Blocklisted process makes network request
Checks for any installed AV software in registry
Enumerates connected drives
Reads user/profile data of web browsers
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
157.90.5.250:18637
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Microsoft Software Installer (MSI) msi f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01

(this sample)

  
Delivery method
Distributed via web download

Comments