MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89dac706230235cd4cf9b37c009ed2a37955a888a826a5db197c91a3e6feee7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89dac706230235cd4cf9b37c009ed2a37955a888a826a5db197c91a3e6feee7f
SHA3-384 hash: becf967b014b79f111b1d72fc86495f88256032d4c73fb7bd9ebdaf6d01e800f31cebf3fbf294417fa6621c2a99385c7
SHA1 hash: bf340aa6d6e27c1f3f9f0e1e2fcfe780149bb939
MD5 hash: e33344ebcfdb20597ca33527bbf61323
humanhash: football-muppet-yankee-thirteen
File name:vidos-miner.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'638'208 bytes
First seen:2022-02-13 07:21:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:WMOpsoq/f9PYVbM4D6247CkOf+3nXtvtU6JEzQtL1wBgUxZJEKz8M3:6iJPIM062gCbun91rOG2ZxZaM3
Threatray 1'174 similar samples on MalwareBazaar
TLSH T1B32633EC374D60CFC65EC27AEA891C70D6B27167A6078702E07B67F24E0D59E8E14276
Reporter adm1n_usa32
Tags:64 64bit CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241154/
Detection(s):
Win.Malware.Bulz-9938936-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex obfuscated packed
Link:
https://www.filescan.io/uploads/6208b16354047500bb4ab6a9/reports/46f31e4d-ca7f-4ae9-8b4f-ac2f29466f17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b7edbf5-4dbb-4be2-9c04-ddeb4bf5eeac
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938918
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected VMProtect packer
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571396 Sample: vidos-miner.exe Startdate: 13/02/2022 Architecture: WINDOWS Score: 100 66 pool.hashvault.pro 2->66 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 8 other signatures 2->76 10 vidos-miner.exe 5 2->10         started        14 system64dll.exe 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 60 C:\Users\user\AppData\...\system64dll.exe, PE32+ 10->60 dropped 62 C:\Users\...\system64dll.exe:Zone.Identifier, ASCII 10->62 dropped 64 C:\Users\user\AppData\...\vidos-miner.exe.log, ASCII 10->64 dropped 84 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->84 21 cmd.exe 1 10->21         started        24 cmd.exe 10->24         started        26 cmd.exe 10->26         started        86 Antivirus detection for dropped file 14->86 88 Multi AV Scanner detection for dropped file 14->88 90 Machine Learning detection for dropped file 14->90 28 cmd.exe 14->28         started        92 Changes security center settings (notifications, updates, antivirus, firewall) 16->92 30 MpCmdRun.exe 16->30         started        68 192.168.2.1 unknown unknown 18->68 file6 signatures7 process8 signatures9 80 Encrypted powershell cmdline option found 21->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 21->82 32 powershell.exe 23 21->32         started        34 powershell.exe 18 21->34         started        36 conhost.exe 21->36         started        38 system64dll.exe 24->38         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 schtasks.exe 26->45         started        49 2 other processes 28->49 47 conhost.exe 30->47         started        process10 file11 58 C:\Users\user\AppData\...\sihost64.exe, PE32+ 38->58 dropped 51 cmd.exe 38->51         started        process12 signatures13 78 Encrypted powershell cmdline option found 51->78 54 conhost.exe 51->54         started        56 powershell.exe 51->56         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89dac706230235cd4cf9b37c009ed2a37955a888a826a5db197c91a3e6feee7f/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-02-05 04:43:49 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhnmobrdai242thzwn6abhwsun4vlkeivatklwyzpsi2hzx65z7q._file
Verdict:
malicious
Similar samples:
06de7a6020311d1148c053a1b4d620a556e4ec46c670b44f1f280b4fbd68dfd2
CoinMiner
35e366b4c3acb7b4539e83cb0a489a8b31872193183084b1099f9ec638a70f34
CoinMiner
479e5e3f4b38759f6a9b5f16565ce5e416ca3609f6b138b87ae2ac3740edac5c
CoinMiner
7e1624df0ec310b2766bd7a9a98f05ef1ed576f0f7e0699aee3ecc35ddb03c12
CoinMiner
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
CoinMiner
b03f5bd449dbd6441f14720cd78dc280580a998842675cec12b7d1a840c67932
CoinMiner
c9c79f349ba263858347e2a724368d31fb0a43542bb222c0e36d55198fbf7bfe
CoinMiner
f7708c99c5e08993335b8a6ee65062535d8b2e5298fbecc62a5601817a3d9b2f
CoinMiner
+ 1'164 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner vmprotect
Link:
https://tria.ge/reports/220213-h6pc3shcaj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
89dac706230235cd4cf9b37c009ed2a37955a888a826a5db197c91a3e6feee7f
MD5 hash:
e33344ebcfdb20597ca33527bbf61323
SHA1 hash:
bf340aa6d6e27c1f3f9f0e1e2fcfe780149bb939
Link:
https://www.unpac.me/results/72a3fe12-19b1-49cb-b33c-b5e4ebf7cf1e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:downloader_macros
Create hunting rule
Author:ddvvmmzz
Description:downloader macros
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241154/

Comments