analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://coinhive.com/lib/

Full analysis: https://app.any.run/tasks/c5dc16c0-a5df-4824-93d5-ce8dacb0e504
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: May 21, 2022, 11:06:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
coinhive
Indicators:
MD5:

E3517D652B6C6FC4B0F1A2CAE0B90CCD

SHA1:

A8A3CBBD1FA6767BF91EAD7C13CBDA75F986AC61

SHA256:

08F6F85F054DD8514D6C793006044F58F3C24B9F507FA63EEB66C4ED7A99EC5C

SSDEEP:

3:N8XWSE5Mq:2xq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2152)
    • Reads the computer name

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3900)
    • Checks supported languages

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3900)
    • Executed via COM

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3900)
    • Creates files in the user directory

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3900)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 1560)
      • iexplore.exe (PID: 2152)
    • Checks supported languages

      • iexplore.exe (PID: 1560)
      • iexplore.exe (PID: 2152)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 1560)
    • Application launched itself

      • iexplore.exe (PID: 1560)
    • Changes internet zones settings

      • iexplore.exe (PID: 1560)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2152)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1560)
      • iexplore.exe (PID: 2152)
    • Reads CPU info

      • iexplore.exe (PID: 2152)
    • Creates files in the user directory

      • iexplore.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_32_0_0_453_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1560"C:\Program Files\Internet Explorer\iexplore.exe" "https://coinhive.com/lib/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2152"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1560 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3900C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 32.0 r0
Version:
32,0,0,453
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_32_0_0_453_activex.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
17 241
Read events
16 969
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
28
Text files
127
Unknown types
31

Dropped files

PID
Process
Filename
Type
2152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:11770906EAB91BE6BE3FC090186BE59E
SHA256:9C0B4161B0AADF25372C3D8C908CED9EF29E06C9C2AB98CF8235DB6B000A09F0
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\cards.min[1].jstext
MD5:16D84278BB517D1765F9D6471D902DC2
SHA256:857DCF021006F18DF5E72E87501221D5B2F40C7F99C23EF75FA582CCA9B49900
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\cards.min[1].csstext
MD5:68DD49021EE6D7818C2E1E2E64ED89AA
SHA256:E078C7F2333231376567AF00407F22F166A32B0B39C1932DE5F151462F26732F
2152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D66D5A10961D4E732BF79225E40250D1
SHA256:30A28178B58F73D38AA5F2CD7BD0B61CF16E72FE1C755DB57BBA8BD6D86EFBD7
2152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:47020B685E77ECD74ABC9ADCE105AD13
SHA256:558C89968EE2679A433CC03190339A000DEDD32D1E7A21B9929DD7631C4211BD
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\main.min[1].csstext
MD5:885EA493A7F52B571A3DBE3D7B7D74D5
SHA256:0CA584423385387F7FD16AE6C62079F43D381881DF869C02E9228C46EC203583
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\RT9298UY.htmhtml
MD5:3B39682DF3F6406432618E19C9A13CD8
SHA256:3C39B295CFA56B609859F5CECF37760E83B65E0530806898BF4997BAB286FD34
1560iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:48B8ED636FCF9F53FF560D7C6A86FC48
SHA256:5FFC9C375F149C084D71F66E320C8453D2206869B6A1B13550BFF02822D58FCA
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies[1].htmhtml
MD5:B8FBE0748F2BDC0B231DEFF98F1E13AC
SHA256:72CC318F6CC7F2153FAE3DFB87403C95EAD666BAE8FD129344C9EE213279EEE2
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\image-65[1].pngimage
MD5:80C5A29F5468E2D189CA37BF6318224C
SHA256:8EA57EC909EFBB8004B34358718F608C00411F8556F56E4110F0210B5BBAEBCB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
105
DNS requests
44
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d
US
der
472 b
whitelisted
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDwQ9JNOs3IcArkp%2FBu7NbU
US
der
472 b
whitelisted
2152
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2152
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFsL8ccV6MRJElibH7RYju4%3D
US
der
471 b
whitelisted
2152
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2152
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2152
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDExSUZ712qmxLhqE9UUaDV
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1560
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2152
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1560
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2152
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2152
iexplore.exe
104.21.46.6:443
www.troyhunt.com
Cloudflare Inc
US
suspicious
2152
iexplore.exe
188.114.96.10:443
coinhive.com
Cloudflare Inc
US
malicious
2152
iexplore.exe
142.250.184.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2152
iexplore.exe
93.184.220.66:443
platform.twitter.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2152
iexplore.exe
104.17.25.14:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
2152
iexplore.exe
142.250.185.174:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
coinhive.com
  • 188.114.96.10
  • 188.114.97.10
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.troyhunt.com
  • 104.21.46.6
  • 172.67.221.245
suspicious
fonts.googleapis.com
  • 142.250.184.202
whitelisted
cdnjs.cloudflare.com
  • 104.17.25.14
  • 104.17.24.14
whitelisted
unpkg.com
  • 104.16.122.175
  • 104.16.123.175
  • 104.16.125.175
  • 104.16.124.175
  • 104.16.126.175
whitelisted
platform.twitter.com
  • 93.184.220.66
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info