MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e
SHA3-384 hash: b6c129347100ad84bdfe7e0b500f505c03048ba7a1f2aa771c6b8a83a00122412e1b989bc2aa351975dd3128b3c36672
SHA1 hash: 8083ddce92667ee0cdbef98e47364e88d25e7e48
MD5 hash: 7c06efa26bba24886f5106d4c35e2e96
humanhash: edward-pennsylvania-pasta-triple
File name:9719_1648118128_858.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:3'288'520 bytes
First seen:2022-03-25 06:59:19 UTC
Last seen:2024-07-24 11:18:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4095a0d90406c8428c5d9a9c6b05b7 (26 x CoinMiner, 4 x CoinMiner.XMRig)
ssdeep 98304:5ciUC0dWMo7JhDJWGfGL7j8aB9NsvFY1ivQ:5czlpSJKGg7jlPNsa1i
Threatray 18 similar samples on MalwareBazaar
TLSH T133E502BD62943798C45BC9349033ED05B2B6566E43F4D5AE72CBBAC03BAB414DA01F4B
Reporter JAMESWT_WT
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New folder (7).rar
Verdict:
No threats detected
Analysis date:
2022-03-25 03:25:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7a2d4a7-35a5-4518-99e2-a90c58d59c7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257517/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.47277.30421.18336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11279/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer overlay packed
Link:
https://www.filescan.io/uploads/623d6884a19c6494128c2c6e/reports/dfddb985-4281-4288-a627-97db7c9c8a51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5e087631-6073-4cf8-8ae4-5793301f8ea4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964484
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 596966 Sample: 9719_1648118128_858.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 68 easyproducts.org 2->68 78 Sigma detected: Xmrig 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 9 other signatures 2->84 9 9719_1648118128_858.exe 1 5 2->9         started        14 RegHost.exe 1 2->14         started        signatures3 process4 dnsIp5 70 185.137.234.33, 49767, 49769, 8080 SELECTELRU Russian Federation 9->70 58 C:\Users\user\AppData\...\RegModule.exe, PE32+ 9->58 dropped 60 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 9->60 dropped 62 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 9->62 dropped 64 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 9->64 dropped 86 Hijacks the control flow in another process 9->86 88 Injects code into the Windows Explorer (explorer.exe) 9->88 90 Writes to foreign memory regions 9->90 98 2 other signatures 9->98 16 notepad.exe 1 9->16         started        20 explorer.exe 1 9->20         started        22 bfsvc.exe 1 9->22         started        24 conhost.exe 9->24         started        92 Multi AV Scanner detection for dropped file 14->92 94 Allocates memory in foreign processes 14->94 96 Modifies the context of a thread in another process (thread injection) 14->96 26 notepad.exe 1 14->26         started        28 explorer.exe 1 14->28         started        30 bfsvc.exe 1 14->30         started        32 conhost.exe 14->32         started        file6 signatures7 process8 dnsIp9 66 xmr.2miners.com 51.89.96.41 OVHFR France 16->66 72 System process connects to network (likely due to code injection or exploit) 16->72 74 Query firmware table information (likely to detect VMs) 16->74 76 Blacklisted process start detected (Windows program) 16->76 34 conhost.exe 16->34         started        36 curl.exe 1 20->36         started        38 curl.exe 1 20->38         started        40 curl.exe 20->40         started        48 2 other processes 20->48 42 conhost.exe 22->42         started        44 conhost.exe 26->44         started        50 2 other processes 28->50 46 conhost.exe 30->46         started        signatures10 process11 process12 52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        56 conhost.exe 40->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-24 23:02:04 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbbzez6bmkmkpw3h3etkctk2lmgolyr2wzluion6kin4ci45m4ha._file
Verdict:
unknown
Similar samples:
4109d37d472fafa83b2c8303afd3fe9c25d58e763d706ae8f660a9f150971665
CoinMiner.XMRig
69a7e42a1c0b9413c66f96880ba467ebe5b103740224f0d90dd5ad0862e37a5d
CoinMiner.XMRig
6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1
CoinMiner.XMRig
d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40
CoinMiner.XMRig
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
CoinMiner.XMRig
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/220325-hsrw2sfgfj/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e
MD5 hash:
7c06efa26bba24886f5106d4c35e2e96
SHA1 hash:
8083ddce92667ee0cdbef98e47364e88d25e7e48
Link:
https://www.unpac.me/results/2d4e7dda-c1e0-4245-8d8a-ea66b635fa6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257517/

Comments