MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a
SHA3-384 hash: 1f778a8f0016fd883c42dd4205cbc35490a6c18915045043ba4c8b6639b09925980f8859279903bf5965bd983b54a486
SHA1 hash: ce99666345ec72cbe5f02e5c5fd5d0557d1871a2
MD5 hash: d37b04c7e2409013654cfa2278c6d305
humanhash: sweet-fourteen-arizona-earth
File name:14352078.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:233'472 bytes
First seen:2022-03-18 05:01:15 UTC
Last seen:2022-03-18 06:36:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:j3zj35u1p/1tCna+IUjsUyv5LQdM5QNcTHBJbjNcjhUo61mavmklov0g/+d7:jzjJuv/HChIUYUyv5LQdM5QNcTH7bjNt
Threatray 1'622 similar samples on MalwareBazaar
TLSH T1BB34459D766072EFC857D472DEA82CA8EA5074BB931B4203902715EDEE4D89BDF140F2
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252243/
Detection(s):
SecuriteInfo.com.Trojan.BitCoinMiner.29424.136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Searching for synchronization primitives
Searching for the Windows task manager window
Creating a file in the %temp% directory
Sending an HTTP GET request
Creating a window
Creating a file
Sending an HTTP POST request
Unauthorized injection to a recently created process
Launching a tool to kill processes
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6234124ddfdfa8501cb3ad66/reports/eebe924a-6f7d-4711-9e40-a7a93b01618c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0c32dfb-82ea-4591-a391-39f5adcaed5d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959250
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Uses known network protocols on non-standard ports
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 591729 Sample: 14352078.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 96 pool.hashvault.pro 2->96 104 Sigma detected: Xmrig 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 16 other signatures 2->110 10 14352078.exe 5 4 2->10         started        14 Windows Security.exe 7 4 2->14         started        16 svchost.exe 1 1 2->16         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 86 C:\Users\user\...\Windows Security.exe, PE32 10->86 dropped 88 C:\...\Windows Security.exe:Zone.Identifier, ASCII 10->88 dropped 126 Detected unpacking (changes PE section rights) 10->126 128 Obfuscated command line found 10->128 130 Self deletion via cmd delete 10->130 132 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->132 21 cmd.exe 1 10->21         started        24 cmd.exe 1 10->24         started        26 cmd.exe 14->26         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 cmd.exe 14->33         started        94 127.0.0.1 unknown unknown 16->94 file6 signatures7 process8 file9 118 Obfuscated command line found 21->118 35 Windows Security.exe 14 5 21->35         started        40 conhost.exe 21->40         started        42 powershell.exe 13 24->42         started        44 taskkill.exe 1 24->44         started        48 2 other processes 24->48 90 C:\Users\user\AppData\Local\...\tmpCDDD.vbs, ASCII 26->90 dropped 120 Command shell drops VBS files 26->120 50 2 other processes 26->50 52 2 other processes 29->52 54 2 other processes 31->54 46 conhost.exe 33->46         started        signatures10 process11 dnsIp12 100 111.90.143.200, 27941, 49774 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 35->100 102 192.168.2.1 unknown unknown 35->102 84 C:\Users\user\AppData\Roaming\...\c.exe, PE32+ 35->84 dropped 122 Obfuscated command line found 35->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->124 56 cmd.exe 35->56         started        58 cmd.exe 2 35->58         started        62 cmd.exe 35->62         started        64 cmd.exe 35->64         started        file13 signatures14 process15 file16 66 c.exe 56->66         started        70 conhost.exe 56->70         started        92 C:\Users\user\AppData\Local\...\tmp58CC.vbs, ASCII 58->92 dropped 134 Command shell drops VBS files 58->134 72 cscript.exe 1 58->72         started        74 conhost.exe 58->74         started        136 Obfuscated command line found 62->136 76 conhost.exe 62->76         started        78 powershell.exe 62->78         started        80 conhost.exe 64->80         started        82 powershell.exe 64->82         started        signatures17 process18 dnsIp19 98 pool.hashvault.pro 131.153.142.106 SSASN2US United States 66->98 112 Antivirus detection for dropped file 66->112 114 Query firmware table information (likely to detect VMs) 66->114 116 Machine Learning detection for dropped file 66->116 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 05:02:11 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
CoinMiner
280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
CoinMiner
2e0aa995df9b6a99e37601b1d7dea6fb85f6c7130980a8c2a275370efb6f0236
CoinMiner
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
CoinMiner
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
CoinMiner
4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c
CoinMiner
6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c
CoinMiner
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
CoinMiner
ec86b00b3f187f93e86711f82043af2ec359861bd60497b53998b0a28bc20d3e
CoinMiner
f3b7556c1a960019ed0c01cdff84412b5c58beed377181573bb34a92f00ddb76
CoinMiner
+ 1'612 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220318-fn5w1agcek/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
efad7d7350b02ad2dae120427b315816a22bb5b15d114a8b512d1218b8b84652
MD5 hash:
d25e6339424193a8b8858d256fa802fa
SHA1 hash:
480d96dee6ff58cb55684a4ba5da880f01d0f7b0
Link:
https://www.unpac.me/results/91c1d8ce-7169-4cd5-b5cc-324adbd8cbc5/
SH256 hash:
162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a
MD5 hash:
d37b04c7e2409013654cfa2278c6d305
SHA1 hash:
ce99666345ec72cbe5f02e5c5fd5d0557d1871a2
Link:
https://www.unpac.me/results/91c1d8ce-7169-4cd5-b5cc-324adbd8cbc5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/162d0b27db41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252243/

Comments