MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed
SHA3-384 hash: a1ce6fa24ef0fe1cd9fcf24d1ad931776ba3aaac949fafd1797a9a878a04b208c0cd828950e1bbe253bc24b733a389ca
SHA1 hash: e211cca58044b0788f68b32503ac9390a518379d
MD5 hash: beaa20f7cc0f9d7ec5d522c0faa96929
humanhash: vermont-carolina-glucose-lion
File name:888888
Download: download sample
Signature CoinMiner
Create hunting rule
File size:966'656 bytes
First seen:2021-02-03 05:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 388df45571914ad8d32eab5bab74d1d3 (1 x CoinMiner)
ssdeep 12288:XSyDnzSsi1GVTksAE17gAIVLopKZA3rDAN23/NTsWOd7tE:XzDn2L1ATktk7HIqpKZAbDAN23/WL5a
Threatray 88 similar samples on MalwareBazaar
TLSH CB259E15B18280F6CB5555308DA66736AB358B420B35CBCFB374DD5A2D32282B63B37B
Reporter r3dbU7z
Tags:backdoor CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
709
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
888888
Verdict:
Malicious activity
Analysis date:
2021-02-03 06:53:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc22850b-ec5e-4a03-92f4-4b426098af03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115250/
Detection(s):
Win.Malware.Zusy-6840460-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
DNS request
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Sending a UDP request
Connection attempt
Running batch commands
Creating a process with a hidden window
Enabling autorun for a service
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GhostRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/597414
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates an undocumented autostart registry key
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Yara detected GhostRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 347744 Sample: 888888 Startdate: 03/02/2021 Architecture: WINDOWS Score: 100 39 dns.monerogb.com 2->39 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 6 other signatures 2->57 9 888888.exe 2 8 2->9         started        14 host..exe 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 43 180.215.224.139, 49721, 8800 BCPL-SGBGPNETGlobalASNSG Singapore 9->43 45 211.21.23.48, 8800 HINETDataCommunicationBusinessGroupTW Taiwan; Republic of China (ROC) 9->45 49 2 other IPs or domains 9->49 37 C:\Users\user\Desktop\84.exe, PE32 9->37 dropped 67 Creates an undocumented autostart registry key 9->67 69 Contains functionality to detect sleep reduction / modifications 9->69 20 84.exe 1 2 9->20         started        71 Antivirus detection for dropped file 14->71 73 Multi AV Scanner detection for dropped file 14->73 75 Machine Learning detection for dropped file 14->75 79 4 other signatures 14->79 24 host..exe 14->24         started        77 Changes security center settings (notifications, updates, antivirus, firewall) 16->77 27 MpCmdRun.exe 1 16->27         started        47 127.0.0.1 unknown unknown 18->47 file6 signatures7 process8 dnsIp9 35 C:\Windows\SysWOW64\host..exe, PE32 20->35 dropped 59 Antivirus detection for dropped file 20->59 61 Multi AV Scanner detection for dropped file 20->61 63 Machine Learning detection for dropped file 20->63 65 5 other signatures 20->65 29 cmd.exe 1 20->29         started        41 dns.monerogb.com 103.246.218.179, 49724, 49725, 49726 SDCL-AS-APSkyDigitalCoLtdTW Taiwan; Republic of China (ROC) 24->41 31 conhost.exe 27->31         started        file10 signatures11 process12 process13 33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2021-01-03 21:08:08 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2swlb77mowsyjzshvlfccivcjn6d4lrgjacsnjtansz5nby2dwq._file
Verdict:
malicious
Similar samples:
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
CoinMiner
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
CoinMiner
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
CoinMiner
6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
CoinMiner
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
CoinMiner
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
CoinMiner
7722f9fc1c3104b305915e49413e86df71e233fc2ac2914eee60ab7a59fcdf14
CoinMiner
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
CoinMiner
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
CoinMiner
f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a
CoinMiner
+ 78 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence ransomware
Link:
https://tria.ge/reports/210203-l4evc1tbee/
Behaviour
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Drops file in System32 directory
Enumerates physical storage devices
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Sets service image path in registry
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
a3a62538b3f69c8b06b84c2338fafe202dd069df60f9c2ae66c4e3588cf60ea9
MD5 hash:
2f8cb6fe4e819509372f4a15bbe6edc8
SHA1 hash:
a7d9748a3e335dc86dd4f0dac5295776f79e9bfa
Link:
https://www.unpac.me/results/d5c82c88-d108-493c-84fa-9b1a8948ca20/
Parent samples :
9d06ca25675308eee7646087fdd9cc585856ca022c5d9d887d809e0231fed044
00ef210a88f26be8dc6998d53a5eda9158f71842f590eea13d913f8ff3327cb7
SH256 hash:
b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed
MD5 hash:
beaa20f7cc0f9d7ec5d522c0faa96929
SHA1 hash:
e211cca58044b0788f68b32503ac9390a518379d
Link:
https://www.unpac.me/results/d5c82c88-d108-493c-84fa-9b1a8948ca20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_netwire_g0
Create hunting rule
Author:mak

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115250/

Comments