MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
SHA3-384 hash: 61d62af2a7374824d59d5566525476c9e9455d9e72af6ceaaaec644744bf34c4999a6d061dd2b3a20c22d14ce43b9ad8
SHA1 hash: 991e26c64815750e03f6c3515e8beebf7b1075b3
MD5 hash: a3d8b7059f0a4108d38144586fd63ee0
humanhash: august-yankee-fillet-thirteen
File name:SecuriteInfo.com.PUA.Tool.Nssm.2.31375.31868
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'135'936 bytes
First seen:2024-01-24 08:54:10 UTC
Last seen:2024-01-24 09:33:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc4211025d2823f78625f41e8016b470 (1 x CoinMiner)
ssdeep 98304:kVT8nSXdIs4DzUQeArdcHL9NlTxoUx2ZXOR6wwYIvtQZZuvIsGr:keSXdY/aAm9NRx28cfhvtPY
TLSH T1831633D26312A9F0C793C8BD48272D85FC807E5E62FD1892C7C55EEA5D31ACDAB5600B
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 68d4aa888c8ac460 (2 x AgentTesla, 2 x SnakeKeylogger, 2 x AsyncRAT)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472659/
Detection(s):
SecuriteInfo.com.PUA.Tool.Nssm.2.31375.31868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Sending a custom TCP request
Creating a process from a recently created file
Сreating synchronization primitives
Creating a service
Launching a service
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching a tool to kill processes
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm comodo evasive expand fingerprint hacktool hook iceid keylogger lolbin miner monero packed packed packed powershell quickheal remote rundll32 shell32 stealer upx xmrig
Link:
https://www.filescan.io/uploads/65b0d06efc0458d7ffd87e58/reports/a5bb532b-cae3-4113-a231-d4a78d2eb18b/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad9d4f11-5813-4402-8925-a1ad1ed7c269
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1380114
Signature
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes itself after installation
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1380114 Sample: SecuriteInfo.com.PUA.Tool.N... Startdate: 24/01/2024 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 5 other signatures 2->82 8 SecuriteInfo.com.PUA.Tool.Nssm.2.31375.31868.exe 3 6 2->8         started        12 svchost.exe 2->12         started        process3 file4 68 C:\Windows\Fonts\svchost.exe, PE32+ 8->68 dropped 70 C:\Windows\Fonts\conhost.exe, PE32 8->70 dropped 72 C:\Windows\Fonts\WinRing0x64.sys, PE32+ 8->72 dropped 84 Found strings related to Crypto-Mining 8->84 86 Uses cmd line tools excessively to alter registry or file data 8->86 88 Drops executables to the windows directory (C:\Windows) and starts them 8->88 90 4 other signatures 8->90 14 cmd.exe 1 8->14         started        17 svchost.exe 8->17         started        19 cmd.exe 8->19         started        26 30 other processes 8->26 21 conhost.exe 12->21         started        24 conhost.exe 12->24         started        signatures5 process6 file7 92 Uses ping.exe to sleep 14->92 94 Uses cmd line tools excessively to alter registry or file data 14->94 96 Uses ping.exe to check the status of other devices and networks 14->96 39 2 other processes 14->39 28 conhost.exe 17->28         started        41 3 other processes 19->41 66 C:\Windows\Fonts\rundlls.exe, PE32+ 21->66 dropped 98 Antivirus detection for dropped file 21->98 100 Multi AV Scanner detection for dropped file 21->100 102 Machine Learning detection for dropped file 21->102 30 cmd.exe 21->30         started        33 cmd.exe 21->33         started        44 4 other processes 21->44 104 Creates an undocumented autostart registry key 26->104 106 Deletes itself after installation 26->106 35 conhost.exe 26->35         started        37 conhost.exe 26->37         started        46 32 other processes 26->46 signatures8 process9 dnsIp10 108 Uses cmd line tools excessively to alter registry or file data 30->108 48 conhost.exe 30->48         started        60 2 other processes 30->60 50 conhost.exe 33->50         started        52 attrib.exe 33->52         started        54 Conhost.exe 35->54         started        56 Conhost.exe 37->56         started        74 127.0.0.1 unknown unknown 41->74 58 conhost.exe 44->58         started        62 2 other processes 44->62 64 6 other processes 46->64 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52/
Threat name:
Win32.Trojan.DacicBitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2023-02-04 00:07:42 UTC
File Type:
PE (Exe)
Extracted files:
145
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7sbk4izsalhaam22ekwwax5bqruh3mqchof5xcx3wt6xzvq2rzja._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion miner persistence ransomware upx
Link:
https://tria.ge/reports/240124-kvfmxaedhn/
Behaviour
Kills process with WMI
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
UPX packed file
Sets file execution options in registry
Sets file to hidden
Stops running service(s)
Clears Windows event logs
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
9fbd731a4cd6ee84bf75e0846f9cbfdddbe0efbb8b96a00c466f6bbc81ef093e
MD5 hash:
13cc9c94a0dbabc808196523397ae431
SHA1 hash:
cd035326b4d4944de993b12330b0f985e4b6b841
Detections:
XMRig
Create hunting rule
MALWARE_Win_CoinMiner02
Create hunting rule
PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
XMRIG_Monero_Miner
Create hunting rule
MAL_XMR_Miner_May19_1
Create hunting rule
Link:
https://www.unpac.me/results/c57ff52a-5a24-4848-98f7-72604e5ed925/
Parent samples :
fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
SH256 hash:
c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
MD5 hash:
7afcf45907f225e3e3cfeece3bbcd410
SHA1 hash:
9747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
Link:
https://www.unpac.me/results/c57ff52a-5a24-4848-98f7-72604e5ed925/
SH256 hash:
a26487eb2d2e4992e9fc6429380eedf6d16ce2ad44451a5fa8551dda99cd9c23
MD5 hash:
bbfb132c351b577f1b62466594e6286e
SHA1 hash:
6554c61b5e67324871b70074a9c22f58298c686c
Detections:
XMRig
Create hunting rule
MALWARE_Win_CoinMiner02
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
MAL_XMR_Miner_May19_1
Create hunting rule
Link:
https://www.unpac.me/results/c57ff52a-5a24-4848-98f7-72604e5ed925/
SH256 hash:
9448981710a772aa8fd961c228ebfd96c5fffa2282b85a9b71cc21caf6a6b459
MD5 hash:
51714c87a2477921070fdff193a27254
SHA1 hash:
f21170e2f8a25dce5cd19371464a4ba2b14e5f5f
Detections:
XMRig
Create hunting rule
MALWARE_Win_CoinMiner02
Create hunting rule
XMRIG_Monero_Miner
Create hunting rule
MAL_XMR_Miner_May19_1
Create hunting rule
Link:
https://www.unpac.me/results/c57ff52a-5a24-4848-98f7-72604e5ed925/
SH256 hash:
fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
MD5 hash:
a3d8b7059f0a4108d38144586fd63ee0
SHA1 hash:
991e26c64815750e03f6c3515e8beebf7b1075b3
Link:
https://www.unpac.me/results/c57ff52a-5a24-4848-98f7-72604e5ed925/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc82ae233202/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472659/

Comments