MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29
SHA3-384 hash: d49333adf85dab9daf4791dedf98cf5fff62cf80c53e2635fe2741d196bf0792fa55c65dbfa338bba16c14535d559c2d
SHA1 hash: d81baf14bf5d2f017a1a7bfd9e75d03ca7621b8a
MD5 hash: fbbeef748d1a778d15265c1b78a0f5f2
humanhash: skylark-quebec-california-oranges
File name:InjectFortnite.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'639'168 bytes
First seen:2022-02-10 14:22:55 UTC
Last seen:2022-02-10 15:29:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfd2dac39af50555ae9789117b36b66 (19 x CoinMiner, 2 x CoinMiner.XMRig)
ssdeep 49152:rpQDkXmuSP9y8X1hMUR/kMC3WpP7MqRyBxpt+yyQ6ihi04raAWK3+M2lkXy1YweG:
Threatray 454 similar samples on MalwareBazaar
TLSH T1BD4633605FEA0D3AC668823C74A74F5D17F10EE58856FACB539078D7229EF41052F8AE
Reporter tech_skeech
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240657/
Detection(s):
SecuriteInfo.com.Trojan.BtcMine.3606.5481.13943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
stealer
Link:
https://www.filescan.io/uploads/62051fc9289e2f3e4fbc6242/reports/adb2ebbf-a16a-409b-b205-2ce79fe8d7c9/overview
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b652d29-7e02-462c-b363-97280b93beb5
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937669
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570143 Sample: InjectFortnite.exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 89 adl.windows.com 2->89 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 5 other signatures 2->101 12 InjectFortnite.exe 5 2->12         started        15 system32.exe 2->15         started        18 svchost.exe 2->18         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 83 C:\Users\user\AppData\...\system32.exe, PE32+ 12->83 dropped 85 C:\Users\...\system32.exe:Zone.Identifier, ASCII 12->85 dropped 87 C:\Users\user\...\InjectFortnite.exe.log, ASCII 12->87 dropped 23 cmd.exe 12->23         started        25 cmd.exe 1 12->25         started        28 cmd.exe 12->28         started        30 wuapihost.exe 12->30         started        127 Antivirus detection for dropped file 15->127 129 Multi AV Scanner detection for dropped file 15->129 32 cmd.exe 15->32         started        91 127.0.0.1 unknown unknown 18->91 file6 signatures7 process8 signatures9 34 system32.exe 23->34         started        38 conhost.exe 23->38         started        123 Encrypted powershell cmdline option found 25->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 25->125 40 powershell.exe 21 25->40         started        42 powershell.exe 14 25->42         started        44 conhost.exe 25->44         started        46 conhost.exe 28->46         started        48 schtasks.exe 28->48         started        50 conhost.exe 32->50         started        52 2 other processes 32->52 process10 file11 79 C:\Users\user\AppData\...\sihost64.exe, PE32+ 34->79 dropped 81 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 34->81 dropped 103 Writes to foreign memory regions 34->103 105 Allocates memory in foreign processes 34->105 107 Modifies the context of a thread in another process (thread injection) 34->107 109 2 other signatures 34->109 54 sihost64.exe 34->54         started        57 cmd.exe 34->57         started        59 conhost.exe 34->59         started        signatures12 process13 dnsIp14 111 Antivirus detection for dropped file 54->111 113 Multi AV Scanner detection for dropped file 54->113 115 Writes to foreign memory regions 54->115 119 2 other signatures 54->119 62 conhost.exe 54->62         started        117 Encrypted powershell cmdline option found 57->117 64 conhost.exe 57->64         started        66 powershell.exe 57->66         started        68 powershell.exe 57->68         started        93 pool.hashvault.pro 131.153.56.98, 49780, 80 CWIEUS United States 59->93 signatures15 process16 process17 70 cmd.exe 62->70         started        signatures18 121 Encrypted powershell cmdline option found 70->121 73 conhost.exe 70->73         started        75 powershell.exe 70->75         started        77 powershell.exe 70->77         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 12:42:48 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 43 (48.84%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e0e1897aaa314ffbc12ef8ffb9047ab6170fc8fa3999221e66a991b2e77849d
CoinMiner
22e83b1f2a1d5a6e73e51efc8a3169810070bc333fa40ba34786321210d3b670
CoinMiner
4748cf947b9135467c1c39175eb0e5e9c7aa709f4b021c32e57e60e2c945dc9a
CoinMiner
70862f087542d47368ffb6d02a72c2353ab863af11d53c94f2fb81a9e1af2dd9
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
96ed2610e94b19233c22c2341bb36f340298d76bb36bf658a0d853b91e1acc4e
CoinMiner
a422346b9d6280c5d088513b9415e469175a464bc65585651abb5f1437ea2968
CoinMiner
b17e3d464b920c10cb0ceeca0ae9eed030863ddc4233d03ab1ab0f01b58bb92b
CoinMiner
ec05558f0ce0cba4365d379c300561112878e5e71bdb0bb8cae1335594187686
CoinMiner
ee31b5f97e35ab401e74ad66f1d39479fb6bdefa3018dee605cfc6bd76bc1c46
CoinMiner
+ 444 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220210-rp47mshbbp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29
MD5 hash:
fbbeef748d1a778d15265c1b78a0f5f2
SHA1 hash:
d81baf14bf5d2f017a1a7bfd9e75d03ca7621b8a
Link:
https://www.unpac.me/results/f12a8189-3d98-425e-a67a-bd31ab75242b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/240657/

Comments