MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
SHA3-384 hash: abb9b71026f915e13aca40b4735dbf364ed9a96ae3ab2d9e087942920095df992215e31bf4526b64ad8883c6d4e60f03
SHA1 hash: 180c8e75602d8db6779ccb535d293573a097569b
MD5 hash: 74f468bbfea77390b32d574fa2980fb8
humanhash: lemon-fix-social-diet
File name:mupdater.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'566'240 bytes
First seen:2023-11-19 12:18:44 UTC
Last seen:2023-11-19 14:20:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 203d63d5d9a088e2d84cef737227986b (55 x CoinMiner)
ssdeep 98304:GyEIjcwBZtneE64ee4j/Dwwdi9q8PyvCF20c4xc6l6RjU2yc/GbYYaixz:tjDXtZde1j7wwI0vCk1sejU+/iawz
Threatray 109 similar samples on MalwareBazaar
TLSH T18A4612C80FD102BBFC1DFDB7A66835B5C088FC589A14CDE364F896159A6631BC263DA4
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 71f4a2cccc8ac461 (2 x BlankGrabber, 1 x CoinMiner)
Reporter Xev
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mupdater.exe
Verdict:
Malicious activity
Analysis date:
2023-11-19 12:21:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d40a3170-dc0d-4324-9a4d-572f5989a55e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459126/
Detection(s):
SecuriteInfo.com.Trojan.Siggen22.9899.4626.16533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Deleting a system file
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Setting browser functions hooks
Enabling autorun for a service
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/6559fd37e5d5331f5c590142/reports/5ef59d93-23a0-4ffb-bb33-db9e8a5ff3ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfb9d91f-ea2c-4a8a-9065-543dc9117960
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344741
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1344741 Sample: mupdater.exe Startdate: 19/11/2023 Architecture: WINDOWS Score: 100 61 xmr.2miners.com 2->61 63 pastebin.com 2->63 65 online.badbull.pro 2->65 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 8 other signatures 2->75 8 fgqgjrcfhjsu.exe 1 2->8         started        12 mupdater.exe 1 2 2->12         started        signatures3 process4 file5 51 C:\Windows\Temp\cmdqefywrmuy.sys, PE32+ 8->51 dropped 77 Multi AV Scanner detection for dropped file 8->77 79 Protects its processes via BreakOnTermination flag 8->79 81 Modifies the context of a thread in another process (thread injection) 8->81 83 Sample is not signed and drops a device driver 8->83 14 dialer.exe 8->14         started        17 dialer.exe 8->17         started        20 cmd.exe 8->20         started        28 7 other processes 8->28 53 C:\ProgramData\...\fgqgjrcfhjsu.exe, PE32+ 12->53 dropped 85 Self deletion via cmd or bat file 12->85 87 Adds a directory exclusion to Windows Defender 12->87 22 dialer.exe 1 12->22         started        24 cmd.exe 1 12->24         started        26 cmd.exe 1 12->26         started        30 10 other processes 12->30 signatures6 process7 dnsIp8 89 Injects code into the Windows Explorer (explorer.exe) 14->89 91 Creates a thread in another existing process (thread injection) 14->91 93 Injects a PE file into a foreign processes 14->93 37 8 other processes 14->37 55 pastebin.com 104.20.67.143, 443, 49706 CLOUDFLARENETUS United States 17->55 57 xmr.2miners.com 162.19.139.184, 12222, 49705, 49707 CENTURYLINK-US-LEGACY-QWESTUS United States 17->57 59 online.badbull.pro 66.29.148.6, 443, 49708, 49719 ADVANTAGECOMUS United States 17->59 95 Query firmware table information (likely to detect VMs) 17->95 39 2 other processes 20->39 97 Contains functionality to inject code into remote processes 22->97 99 Writes to foreign memory regions 22->99 101 Allocates memory in foreign processes 22->101 103 Contains functionality to compare user and computer (likely to detect sandboxes) 22->103 32 lsass.exe 22->32 injected 35 dwm.exe 22->35 injected 41 5 other processes 22->41 43 2 other processes 24->43 45 2 other processes 26->45 47 6 other processes 28->47 49 10 other processes 30->49 signatures9 process10 signatures11 67 Writes to foreign memory regions 32->67
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-19 09:15:31 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bo76c73iji4unn3pysh5pcfwglfmhlmljjqkwyqhunoq3acyi5ma._file
Verdict:
malicious
Similar samples:
1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f
CoinMiner
3e8c625c24615c02438b4d0dac88772792b86e715d02df78e30a15e85a08b972
CoinMiner
5690f5208387bba02ca4f4954d9d479c57ca556d553795d813603a2b1f83121b
CoinMiner
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
CoinMiner
824d90efe2a2835e2cc858198a50daa3b76e830cc2f62ce4aa2f30389fd46078
CoinMiner
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
CoinMiner
e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245
CoinMiner
e15b16fc5ba3994d5576aeb0581adb3bec21dae0ce15904aa93bf26d66e9669d
CoinMiner
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66
CoinMiner
feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829
CoinMiner
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/231119-pg6pdshh48/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Creates new service(s)
Stops running service(s)
Unpacked files
SH256 hash:
0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
MD5 hash:
74f468bbfea77390b32d574fa2980fb8
SHA1 hash:
180c8e75602d8db6779ccb535d293573a097569b
Link:
https://www.unpac.me/results/b47917c4-ecd7-4b1b-a320-355aa88522a9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bbfe17f684a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459126/

Comments