MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad
SHA3-384 hash: 20385bae947c793fd33306b5b2372a811b1fdd87dd868db37293464d4a082ac6934c487dcb46bdcaac3a1fae9f1cf7bf
SHA1 hash: 1f243006ad330d7f63bbb8c142cbc83574ecd2b2
MD5 hash: 1d4f3985b2b3268dd16bf33300227551
humanhash: ten-high-vermont-bacon
File name:1d4f3985b2b3268dd16bf33300227551.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'048'704 bytes
First seen:2021-11-24 18:40:04 UTC
Last seen:2021-11-24 21:06:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 889336afd01a952ba79d1e90fb751739 (14 x CoinMiner)
ssdeep 98304:M5zUVhIjQ9dPlDGCtDyuWAohKrJKUjTJGziqT9hIQywOxl4usMTEb88uRLbh:tIjQ9RpDyu+KzGeqPIvwOz26n
Threatray 223 similar samples on MalwareBazaar
TLSH T12E6623BF11A8736CC01E88385433ED44B1F6251F47E9D6AEB1EFB5C037AA8158A46F46
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d4f3985b2b3268dd16bf33300227551.exe
Verdict:
No threats detected
Analysis date:
2021-11-24 18:54:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c7ab839-1a0b-4ddb-883f-ef24619772d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Inject4.20506.3249.14458.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/619e8712b71ceed4152edb3e/reports/167bc209-0495-4142-bb5f-c28ea127812b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e0e124b-ec7a-48bc-8d29-8e340ab0ee9c
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895658
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528133 Sample: uMYRNqYoPM.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected BitCoin Miner 2->71 73 Yara detected Xmrig cryptocurrency miner 2->73 75 4 other signatures 2->75 9 uMYRNqYoPM.exe 6 2->9         started        13 services.exe 2 2->13         started        process3 file4 59 C:\Users\user\AppData\Local\...\services.exe, PE32+ 9->59 dropped 61 C:\Users\...\services.exe:Zone.Identifier, ASCII 9->61 dropped 63 C:\Users\user\AppData\...\uMYRNqYoPM.exe.log, ASCII 9->63 dropped 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->79 81 Tries to detect virtualization through RDTSC time measurements 9->81 83 Drops PE files with benign system names 9->83 15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        20 cmd.exe 1 9->20         started        85 Multi AV Scanner detection for dropped file 13->85 22 cmd.exe 13->22         started        signatures5 process6 signatures7 24 services.exe 7 15->24         started        28 conhost.exe 15->28         started        65 Encrypted powershell cmdline option found 17->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 17->67 30 powershell.exe 20 17->30         started        32 powershell.exe 23 17->32         started        34 conhost.exe 17->34         started        36 conhost.exe 20->36         started        38 schtasks.exe 1 20->38         started        40 conhost.exe 22->40         started        42 2 other processes 22->42 process8 file9 57 C:\Users\user\AppData\...\sihost64.exe, PE32+ 24->57 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->77 44 sihost64.exe 24->44         started        47 cmd.exe 24->47         started        signatures10 process11 signatures12 87 Antivirus detection for dropped file 44->87 89 Multi AV Scanner detection for dropped file 44->89 91 Writes to foreign memory regions 44->91 95 2 other signatures 44->95 49 conhost.exe 44->49         started        93 Encrypted powershell cmdline option found 47->93 51 conhost.exe 47->51         started        53 powershell.exe 47->53         started        55 powershell.exe 47->55         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 03:18:15 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
bf47b285157f4274914515e77af23fc9924e7e10ea95065a37aa1e2d0deb8836
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
CoinMiner
+ 213 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/211124-xa85yagfg9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad
MD5 hash:
1d4f3985b2b3268dd16bf33300227551
SHA1 hash:
1f243006ad330d7f63bbb8c142cbc83574ecd2b2
Link:
https://www.unpac.me/results/d0ef6bed-aebf-4dfb-9741-3ae5bbb4a568/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/209133/
  
URLhaus
https://urlhaus.abuse.ch/url/1811251/
  
Delivery method
Distributed via web download

Comments