MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA3-384 hash: a464e50fd021d57262c8d8836f9a57477c5a1b2d939ca2471f725ac4887b04b15fab20875979b29304a40e812e4fd6d4
SHA1 hash: 67a5ba161cafa7f0471f03968dd0f94cfb21aa1a
MD5 hash: c1fd183c8ef30db8e2be4ab51e42501f
humanhash: may-sodium-edward-whiskey
File name:updater.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'307'968 bytes
First seen:2022-06-01 13:59:02 UTC
Last seen:2022-06-01 14:43:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dbd2319b33ed25eb7ad7d0162c2bb3a (18 x CoinMiner, 1 x CoinMiner.XMRig, 1 x XFilesStealer)
ssdeep 98304:XE0M2JJwtZOBFn2pnAleA98wyvNc2I1GUaPeQqtjPaXx:1M27IZOBgCleG8ZvNzIQPhqtjPk
Threatray 1 similar samples on MalwareBazaar
TLSH T19116338CC9CECEE5D94B30FBF4E5CA5425B5F2D1B2162303D1AF40BA58266F6580B671
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Synapse X.exe
Verdict:
Malicious activity
Analysis date:
2022-05-21 14:06:23 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/7b4353e7-6f24-46da-80fa-33c9fa6ca7ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276124/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.24474.4955.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b6de875-fca6-4ac2-ac9d-d206ef4113e7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005116
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637613 Sample: updater.exe Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 5 other signatures 2->72 8 updater.exe 2->8         started        11 updater.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 4 other processes 2->16 process3 dnsIp4 84 Writes to foreign memory regions 8->84 86 Allocates memory in foreign processes 8->86 88 Creates a thread in another existing process (thread injection) 8->88 18 conhost.exe 7 8->18         started        22 conhost.exe 11->22         started        62 127.0.0.1 unknown unknown 13->62 64 192.168.2.1 unknown unknown 16->64 signatures5 process6 file7 56 C:\Program Files\Chrome\updater.exe, PE32+ 18->56 dropped 58 C:\...\updater.exe:Zone.Identifier, ASCII 18->58 dropped 74 Obfuscated command line found 18->74 24 cmd.exe 1 18->24         started        27 cmd.exe 1 18->27         started        29 cmd.exe 1 18->29         started        31 cmd.exe 1 18->31         started        60 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 22->60 dropped 76 Creates files in the system32 config directory 22->76 78 Modifies the context of a thread in another process (thread injection) 22->78 80 Sample uses process hollowing technique 22->80 82 2 other signatures 22->82 33 cmd.exe 22->33         started        35 cmd.exe 22->35         started        signatures8 process9 signatures10 90 Uses cmd line tools excessively to alter registry or file data 24->90 92 Encrypted powershell cmdline option found 24->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 24->94 37 powershell.exe 20 24->37         started        39 conhost.exe 24->39         started        41 conhost.exe 27->41         started        50 23 other processes 27->50 52 2 other processes 29->52 54 2 other processes 31->54 43 powershell.exe 33->43         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        process11 signatures12 96 Creates files in the system32 config directory 43->96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33/
Threat name:
Win64.Hacktool.Sysdupate
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 00:04:33 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 41 (53.66%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aa57c2sgmhgmzeg5oqikwb35gvvd2q2o77qqi6tn6hathmlunmzq._file
Verdict:
malicious
Similar samples:
28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion exploit miner
Link:
https://tria.ge/reports/220601-radq5scfdq/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Possible privilege escalation attempt
Stops running service(s)
XMRig Miner Payload
Modifies security service
xmrig
Unpacked files
SH256 hash:
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
MD5 hash:
c1fd183c8ef30db8e2be4ab51e42501f
SHA1 hash:
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a
Link:
https://www.unpac.me/results/a7e182e9-aeab-4e9e-9684-5b2fdbf6184f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276124/

Comments