MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7
SHA3-384 hash:	9db3c407c2085edef8d5df3ed7d634c0754cf1a2f379d8fd04f07ed9f43c567adecdb1ecdfcf0cec8dbefb24f3baad6e
SHA1 hash:	031de0ff90f329b9c2c0ac7eb1810f798bd06f77
MD5 hash:	f53a85e706b1bf9d2c496436cb3b8047
humanhash:	single-ceiling-charlie-comet
File name:	F53A85E706B1BF9D2C496436CB3B8047
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	4'184'064 bytes
First seen:	2022-11-30 16:00:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:w/yQCRfeF3sI6cXEJgw+MC23YMCXlO/f9t3m:wqHRfw3sI6WILrCwHX
Threatray	42 similar samples on MalwareBazaar
TLSH	T1FC16332F28DE34B2FD9779F3C591547BD520B02D6702282932D83E90AA5856F7382DDB
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	EstisRemiel
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

F53A85E706B1BF9D2C496436CB3B8047

Verdict:

No threats detected

Analysis date:

2022-11-30 19:26:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6faa54a-0354-49a2-b81c-6ecfae72248e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340601/

Detection(s):

Win.Dropper.Coinminer-9942241-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Connecting to a cryptocurrency mining pool

Creating a service

Launching a service

Loading a system driver

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63877e4a5363773888662c8d/reports/c8bdf794-f633-4d9b-ab69-9a21bbef9da1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

LoaderBot, Xmrig

Detection:

malicious

Classification:

troj.expl.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1124237

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Xmrig

Yara detected LoaderBot

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7/

Threat name:

ByteCode-MSIL.Trojan.DisguisedXMRigMiner

Status:

Malicious

First seen:

2022-03-02 23:30:29 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dflbs2o6t5346akmqcaxps6fce2xnudvopiwobrcnyzmej3tos3q._file

Verdict:

malicious

CoinMiner

217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8

CoinMiner

48f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9

CoinMiner

495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f

CoinMiner

8d969f9014e5f4c7d2385b96c8a00870e634d271106cb6e684183e012e56aa8e

CoinMiner

9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e

CoinMiner

b4775eb6d51dc4621171d1a378263f93cfe9ce98d98eefd796e5fb24e2c6b25a

CoinMiner

c8da163b0c84637e8e40fb15add10d77ef3853af773f88bec56ff5a03c40e5ad

CoinMiner

+ 32 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:loaderbot family:xmrig loader miner persistence

Link:

https://tria.ge/reports/221130-tgadeagh3t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

LoaderBot executable

XMRig Miner payload

LoaderBot

xmrig

Malware Config

C2 Extraction:

http://alexxmn6.beget.tech/cmd.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/04bd8dee-4fa1-48b2-99cb-66628bca931f

Unpacked files

SH256 hash:

19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7

MD5 hash:

f53a85e706b1bf9d2c496436cb3b8047

SHA1 hash:

031de0ff90f329b9c2c0ac7eb1810f798bd06f77

Link:

https://www.unpac.me/results/1e806f39-9ac4-4a36-9b7e-9dd167797752/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340601/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample