MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff
SHA3-384 hash: 98a9d95679d7b39ea0f543dce3c386badf5d51d15655352a5837aa882defb19d017ce5c4423fb5db40058e4266a7d1dc
SHA1 hash: af5909cf1feebc4008ebeeea1d2da39dcf37b35c
MD5 hash: 70ae62b899677b72567b2783429dda8d
humanhash: steak-colorado-island-skylark
File name:updater.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'429'208 bytes
First seen:2023-05-07 00:01:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3be2dc19ba54f7225d7679c3f791cf7 (35 x CoinMiner, 2 x PripyatMiner)
ssdeep 196608:BO7tauhixdS1Qx4TbCuJFMxIz6VgWwTi9KKz1drIZUvI6eCAaNLDx+fGCXmRY:B4QuEuTbHsxIz2gWv0ZUvIk7NLDx+uCl
Threatray 2'304 similar samples on MalwareBazaar
TLSH T11CB6BF31D37A586AA00B35BC97FC2C6F78B4F76F5325660E7339529E04AA80EBF41458
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
updater.exe
Verdict:
Malicious activity
Analysis date:
2023-05-07 00:03:08 UTC
Tags:
miner
Link:
https://app.any.run/tasks/70ba6062-2b43-4509-bb3c-39a2b5c446bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387170/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Reading critical registry keys
Сreating synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Changing the hosts file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82848/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88a6355f-d655-4fc7-b045-7b1543bd114f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227588
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Stop multiple services
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860552 Sample: updater.exe Startdate: 07/05/2023 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for dropped file 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 10 other signatures 2->90 9 updater.exe 2 2->9         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 5 other processes 2->17 process3 file4 64 C:\Users\user\AppData\...\qwibkmgcyhln.tmp, PE32+ 9->64 dropped 66 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 9->66 dropped 68 C:\Windows\System32\drivers\etc\hosts, ASCII 9->68 dropped 104 Self deletion via cmd or bat file 9->104 106 Writes to foreign memory regions 9->106 108 Modifies the context of a thread in another process (thread injection) 9->108 114 4 other signatures 9->114 19 dialer.exe 1 9->19         started        110 Uses powercfg.exe to modify the power settings 13->110 112 Modifies power options to not sleep / hibernate 13->112 22 conhost.exe 13->22         started        34 5 other processes 13->34 24 conhost.exe 15->24         started        36 4 other processes 15->36 26 conhost.exe 17->26         started        28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 choice.exe 17->32         started        signatures5 process6 signatures7 92 Injects code into the Windows Explorer (explorer.exe) 19->92 94 Contains functionality to inject code into remote processes 19->94 96 Writes to foreign memory regions 19->96 98 4 other signatures 19->98 38 svchost.exe 19->38 injected 40 lsass.exe 6 19->40 injected 43 svchost.exe 1 1 19->43         started        46 20 other processes 19->46 process8 dnsIp9 48 updater.exe 38->48         started        100 Writes to foreign memory regions 40->100 102 Adds a directory exclusion to Windows Defender 40->102 52 powershell.exe 40->52         started        54 svchost.exe 40->54         started        56 svchost.exe 4 40->56         started        70 127.0.0.1 unknown unknown 43->70 signatures10 process11 file12 60 C:\Windows\Temp\qwibkmgcyhln.tmp, PE32+ 48->60 dropped 62 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 48->62 dropped 72 Protects its processes via BreakOnTermination flag 48->72 74 Writes to foreign memory regions 48->74 76 Modifies the context of a thread in another process (thread injection) 48->76 82 3 other signatures 48->82 78 Creates files in the system32 config directory 52->78 58 conhost.exe 52->58         started        80 Changes security center settings (notifications, updates, antivirus, firewall) 54->80 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 21:28:02 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axf4plhziwnvnylif56w6u4jirpwrmthjhnaqhqdijiqbujyzt7q._file
Verdict:
malicious
Similar samples:
50c2bec0fbc955824b6b2648d30fc42a5fc64994411fdb6026f560d0aa8e178e
CoinMiner
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
CoinMiner
8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237
CoinMiner
95a69137e57a900e7f2721395b6aaf1695d74f16f5e44410557514dca8849ef3
CoinMiner
a8e604652a602e200a53836f87cdf53648d18f1f853cf0852f33a74992b7fc82
CoinMiner
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
CoinMiner
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
CoinMiner
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
CoinMiner
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
CoinMiner
efaaa8ecbfb81f33bbfb791209f0e386756b6a5242428d178efda0ad93ac64bf
CoinMiner
+ 2'294 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/230507-abftfsce5z/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff
MD5 hash:
70ae62b899677b72567b2783429dda8d
SHA1 hash:
af5909cf1feebc4008ebeeea1d2da39dcf37b35c
Link:
https://www.unpac.me/results/f514e56f-9e35-44ae-8708-b6813d6c32e2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05cbc7acf945/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 05cbc7acf9459b56e1682f7d6f5389445f68b26749da081e03425100d138ccff

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387170/

Comments