MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
SHA3-384 hash: 480829f997995cf6ac69edbe50be31d57a73f219a3f414bd8ab8f1d7d0bee09933b567b61e7295299dd3b6bf9457ed8c
SHA1 hash: 7ff601a24c42ec01ef62c097927688a431c5aa76
MD5 hash: 342ef4f2941187bdc7f66d148be0ff75
humanhash: uniform-seventeen-mars-river
File name:342ef4f2941187bdc7f66d148be0ff75
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'149'888 bytes
First seen:2021-10-14 05:07:33 UTC
Last seen:2021-10-14 10:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27516fd8750f40bdecf52a1420a0296a (12 x CoinMiner)
ssdeep 49152:4HXeSvsEQ2JZpmwDIqg45PHXsjKkms5Z3z3Yu0E2tElJHhU9VWOZH+aM:4jvsW/lDZ5P3sju63p2tERU9VT
Threatray 187 similar samples on MalwareBazaar
TLSH T16AA533449C4A618BFBC0A7372685011BBF3EB734CCA56C763F800361899EBD7D968976
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://cx55566.tmweb.ru/bloodteam.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 03:55:21 UTC
Tags:
loader
Link:
https://app.any.run/tasks/ed75313c-4368-408f-a3f9-c475fa62e0f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197410/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6167bb36fd35fe780c3f1b53/reports/253125cf-ff0b-4142-9ce9-f0e568487527/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f85be8a7-08c4-4d7e-bb70-c08136283431
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870195
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502619 Sample: v35hfKF2k8 Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 75 Sigma detected: Xmrig 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 4 other signatures 2->81 10 services64.exe 2->10         started        13 v35hfKF2k8.exe 2->13         started        15 svchost.exe 1 2->15         started        17 2 other processes 2->17 process3 signatures4 105 Multi AV Scanner detection for dropped file 10->105 107 Writes to foreign memory regions 10->107 109 Allocates memory in foreign processes 10->109 19 conhost.exe 6 10->19         started        111 Creates a thread in another existing process (thread injection) 13->111 24 conhost.exe 4 13->24         started        26 svchost.exe 1 13->26         started        process5 dnsIp6 63 192.168.2.1 unknown unknown 19->63 59 C:\Windows\System32\...\sihost64.exe, PE32+ 19->59 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 19->89 91 Writes to foreign memory regions 19->91 93 Modifies the context of a thread in another process (thread injection) 19->93 95 2 other signatures 19->95 28 sihost64.exe 19->28         started        31 cmd.exe 19->31         started        61 C:\Windows\System32\services64.exe, PE32+ 24->61 dropped 34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        file7 signatures8 process9 dnsIp10 113 Multi AV Scanner detection for dropped file 28->113 115 Writes to foreign memory regions 28->115 117 Allocates memory in foreign processes 28->117 119 Creates a thread in another existing process (thread injection) 28->119 38 conhost.exe 2 28->38         started        69 104.140.244.186, 49772, 49774, 5555 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 31->69 71 pool.supportxmr.com 31->71 73 pool-nyc.supportxmr.com 31->73 121 Query firmware table information (likely to detect VMs) 31->121 123 Drops executables to the windows directory (C:\Windows) and starts them 34->123 40 services64.exe 34->40         started        43 conhost.exe 34->43         started        125 Uses schtasks.exe or at.exe to add and modify task schedules 36->125 45 conhost.exe 36->45         started        47 schtasks.exe 1 36->47         started        signatures11 127 Detected Stratum mining protocol 69->127 process12 signatures13 99 Writes to foreign memory regions 40->99 101 Allocates memory in foreign processes 40->101 103 Creates a thread in another existing process (thread injection) 40->103 49 conhost.exe 2 40->49         started        process14 file15 57 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 49->57 dropped 83 Writes to foreign memory regions 49->83 85 Modifies the context of a thread in another process (thread injection) 49->85 87 Injects a PE file into a foreign processes 49->87 53 cmd.exe 49->53         started        signatures16 process17 dnsIp18 65 pool.supportxmr.com 53->65 67 pool-nyc.supportxmr.com 53->67 97 Query firmware table information (likely to detect VMs) 53->97 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395/
Threat name:
Win64.Trojan.AgentAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 02:02:35 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
31f0308a25262c3c2f7e58d60d2c861d73fd4fee2822af6ce393a7676453d3a4
CoinMiner
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
a07677ebabaa7fc3993f565f32d9299a8c9c1b59e6eb19fe7138c19eef219655
CoinMiner
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
CoinMiner
bcc7c88a78159d256da9838d8148b61bf92057b71eabf3bed83ed650d723562c
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
CoinMiner
f84c1b53daf8279593ae9a9f6d8590ceb488318ce70a09bf25bfbf494398a83c
CoinMiner
+ 177 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211014-fskfvsgcb8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
MD5 hash:
342ef4f2941187bdc7f66d148be0ff75
SHA1 hash:
7ff601a24c42ec01ef62c097927688a431c5aa76
Link:
https://www.unpac.me/results/34e7f4a0-130b-4a79-b973-823c36264132/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/046976da5783/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1676347/
Cape
Cape
https://www.capesandbox.com/analysis/197410/

Comments


Avatar
zbet commented on 2021-10-14 05:07:34 UTC

url : hxxp://cx55566.tmweb.ru/monero-bandit.exe