Hezb cryptomining malware with IoCs Hashes IPs Domain Names

Event ID1530
UUID7360197a-48e6-4792-b7c6-5d616d5c79c9 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagsmaec-malware-behavior:maec-malware-behavior=”mine-for-cryptocurrency”x tlp:whitex misp-galaxy:threat-actor=”Hezb”x estimative-language:confidence-in-analytic-judgment=”high”x estimative-language:likelihood-probability=”almost-certain”x admiralty-scale:information-credibility=”1″x   
Date2022-09-12
Threat LevelMedium
AnalysisInitial
DistributionAll communities   
PublishedYes 2022-10-03 17:43:24
#Attributes615 (65 Objects)
First recorded change2022-09-12 12:43:58
Last change2022-10-03 17:43:24
Modification map
Sightings0 (0) – restricted to own organisation only.  

Related Events

abuse.chMalwareBazaar malware samples for 2022-05-09
2022-05-091
Compromised host delivering malware (Mirai)
2022-01-285
IoT malware – Gafgyt.Gen28 (active) – 20190220 – 20190222
2019-02-204

Top of Form

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

1530: Hezb cryptomining malware

Galaxies

Attack Pattern 

  •  Exploit Public-Facing Application – T1190   
  •  Resource Hijacking – T1496   

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-09-29Object name: credential 

References: 
Inherit 
2022-09-29Othertext: textgulf.moneroocean.stream:80     Inherit   (0/0/0)     
2022-09-29Otherusername: text42JKzDhbU76Wbf7JSDhomw6utwLr3N8tjZXLzLwvTcPuP5ZGZiJAHwnD7dNf2ZSAh52i9cUefq2nmLK3azKBffkBMX5b1LY     Inherit   (0/0/0)     
2022-09-29Otherpassword: textprx     Inherit   (0/0/0)     
2022-09-29Othertype: textpassword     Inherit   (0/0/0)     
2022-09-29Otherorigin: textmalware-analysis     Inherit   (0/0/0)     
2022-09-29Otherformat: textclear-text     Inherit   (0/0/0)     
2022-09-29Othernotification: textnone     Inherit   (0/0/0)     
2022-09-14Object name: elf-section 

References: Referenced by: 
Inherit 
2022-09-12Othername: text.stapsdt.base     Inherit   (0/0/0)     
2022-09-12Othertype: textPROGBITS     Inherit   (0/0/0)     
2022-09-12Otherflag: textALLOC     Inherit   (0/0/0)     
2022-09-12Othersize-in-bytes: size-in-bytes1    Inherit   (0/0/0)     
2022-09-14Payload deliverymd5: md593b885adfe0da089cdf634904fd59f71         Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha1: sha15ba93c9db0cff93f52b521d7420e43f6eda2784f         Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha256: sha2566e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d         Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha512: sha512b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliveryssdeep: ssdeep3::    Too many correlations.   Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-14Object name: elf-section 

References: Referenced by: 
Inherit 
2022-09-12Othername: text.jcr     Inherit   (0/0/0)     
2022-09-12Othertype: textPROGBITS     Inherit   (0/0/0)     
2022-09-12Otherflag: textWRITE     Inherit   (0/0/0)     
2022-09-12Otherflag: textALLOC     Inherit   (0/0/0)     
2022-09-12Othersize-in-bytes: size-in-bytes8    Inherit   (0/0/0)     
2022-09-14Payload deliverymd5: md57dea362b3fac8e00956a4952a3d4f474     1050   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha1: sha105fe405753166f125559e7c9ac558654f107c7e9     1050   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha256: sha256af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc     1050   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliverysha512: sha5121b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b    1050   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-14Payload deliveryssdeep: ssdeep3::    Too many correlations.   Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-13Object name: ip-port 

References: 
Inherit 
2022-09-13Network activitydst-port: port82    Inherit   (0/0/0)     
2022-09-13Network activityip: ip-dst205.147.101.170       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-13Object name: ip-port 

References: 
mining component controlInherit 
2022-09-13Network activitydst-port: port4545    Inherit   (0/0/0)     
2022-09-13Network activityip: ip-dst106.251.252.226       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12External analysislinkhttps://www.virustotal.com/gui/file/aaa4aaa14e351350fccbda72d442995a65bd1bb8281d97d1153401e31365a3e9/community      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12Payload deliverylinkhttp://205.147.101.170:82/kthmimu.txt      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12Object name: file 

References: 1  
Inherit 
2022-09-12Payload deliveryfilename: filenamekik    Inherit   (0/0/0)         
2022-09-12Othersize-in-bytes: size-in-bytes2365110
2.26 MB
    Inherit   (0/0/0)     
2022-09-12Otherentropy: float6.5858018193731    Inherit   (0/0/0)     
2022-09-12Payload deliverymd5: md5163df28890e025dd2f46609e9ed24e3d       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha1: sha19f3f19639cd70c67293b6de157b076b130107dc2       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256: sha256eaa1baf4e2e0dec786be25a7283799a0db99ecd40fb807f5b7d8afaeba8d6522       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha512: sha5125773923178d6d3361c3f32573633cfc2619de31f4bc54f77214907ec075af7b4c4eca8e611f87c994101684f7e65c9228af7458af9c28da34dedfe39109d6c5f      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverymalware-sample: malware-samplekik
163df28890e025dd2f46609e9ed24e3d
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12Artifacts droppedmimetype: mime-typeELF 64-bit LSB executable, x86-64, version 1 (SYSV)    Inherit   (0/0/0)     
2022-09-12Payload deliveryssdeep: ssdeep24576:E2HqrhGNtI14h5uwRJjHdPup75ExO4/boMdAkpIhfTUMmeI5L:E2HqrhGw1gu0JT5up75mT/bEkahbU95L      Top of Form Bottom of FormInherit   (0/0/0)