MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e8f24c1bc2dfb3731d1c30956e51219481c6b5ee7b17039cf82ece4c5f0cbc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e8f24c1bc2dfb3731d1c30956e51219481c6b5ee7b17039cf82ece4c5f0cbc2
SHA3-384 hash: 79d54646273e98e7655621650a472ec928a95f01a4301510f7b01332d1f1459c2de52cc23eef59f028d1af4aa1963a65
SHA1 hash: 802ca243bb189eedf6f9cd737dc7cc870e886539
MD5 hash: 8dd5500a5633584939b9ccb821f06817
humanhash: echo-montana-low-lima
File name:java.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'664'896 bytes
First seen:2021-02-02 03:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:scuT6OEnwg9+WgcuT6OEnlzWocuT6OEn9Wiz:6TgwnW2TglzWOTg9Wiz
Threatray 35 similar samples on MalwareBazaar
TLSH A506E010AEDEA827C07761B38573FA3A3408EF8DABF7889B5B5ED41964D22170167C1D
Reporter r3dbU7z
Tags:CoinMiner exe miner

Intelligence

File Origin
# of uploads :
1
# of downloads :
725
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
java.exe
Verdict:
No threats detected
Analysis date:
2021-02-02 03:01:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1134c8eb-a9fa-40a2-b4ab-ec2e4cbbad7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115055/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/596114
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys to launch java
Drops PE files to the user root directory
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 347096 Sample: java.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 8 java.exe 1 3 2->8         started        12 java.exe 2->12         started        14 java.exe 2->14         started        process3 file4 32 C:\Users\user\java.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\...\java.exe.log, ASCII 8->34 dropped 56 Creates autostart registry keys to launch java 8->56 58 Drops PE files to the user root directory 8->58 60 Exploit detected, runtime environment dropped PE file 8->60 16 java.exe 8->16         started        62 Injects code into the Windows Explorer (explorer.exe) 12->62 64 Writes to foreign memory regions 12->64 66 Allocates memory in foreign processes 12->66 19 explorer.exe 1 12->19         started        68 Modifies the context of a thread in another process (thread injection) 14->68 70 Injects a PE file into a foreign processes 14->70 21 explorer.exe 1 14->21         started        signatures5 process6 signatures7 38 Antivirus detection for dropped file 16->38 40 Multi AV Scanner detection for dropped file 16->40 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->42 46 5 other signatures 16->46 23 explorer.exe 16->23         started        44 System process connects to network (likely due to code injection or exploit) 19->44 26 conhost.exe 19->26         started        28 conhost.exe 21->28         started        process8 dnsIp9 36 149.56.111.91, 443 OVHFR Canada 23->36 30 WerFault.exe 23->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e8f24c1bc2dfb3731d1c30956e51219481c6b5ee7b17039cf82ece4c5f0cbc2/
Threat name:
ByteCode-MSIL.Trojan.CoinMiner
Create hunting rule
Status:
Malicious
First seen:
2020-04-12 15:10:59 UTC
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2hsjqn4fx5tomorymevnzisdfeby22646yxaoopqlwojrpqzpba._file
Verdict:
malicious
Similar samples:
2b94b4f8b8f3276f8c41a035a5963d8251c587be6c9fa9e6eb51d8839f51cc69
CoinMiner
390a3c19f40c0c0cc56ae4c15c6f8aa159c00d08887ac52d0d8d7a5d1eb51b0c
CoinMiner
7210dc31f2e68cbad04a8e9167b76554db1f7c46b0bcd0c23c43be9b85cb67e7
CoinMiner
b1843804becf4e44da1fcdf44b5c1f1efe3f24cc342c4232dfcbd03814abb50d
CoinMiner
b620d76117123aa2d044495ee0c0d85b5c1ba0985cb53cb149a350da07ea003c
CoinMiner
bf5d5c28bec7bdcf41fad771fd465ba6bb9a56e053c9470a6e10293466109d3c
CoinMiner
c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2
CoinMiner
d6260dfe90cbc3e03a188d9e1128d14b3b17b851fb7f13da97ae67ffc50e35ec
CoinMiner
dea877be3b8ceb7eb4cb1bb40895bc6886d3ccb0f2498e7b3c4257d726a7d896
CoinMiner
f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a
CoinMiner
+ 25 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence ransomware upx
Link:
https://tria.ge/reports/210202-zqklsvl1ma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
0e8f24c1bc2dfb3731d1c30956e51219481c6b5ee7b17039cf82ece4c5f0cbc2
MD5 hash:
8dd5500a5633584939b9ccb821f06817
SHA1 hash:
802ca243bb189eedf6f9cd737dc7cc870e886539
Link:
https://www.unpac.me/results/af19ccc7-aca8-49ef-a0ba-80a550d3ff28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e8f24c1bc2dfb3731d1c30956e51219481c6b5ee7b17039cf82ece4c5f0cbc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/115055/

Comments