MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29d0e1b77452621e42cf4efe225d0347742e3f6bc8f85ffe26b33ba589c0445c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29d0e1b77452621e42cf4efe225d0347742e3f6bc8f85ffe26b33ba589c0445c
SHA3-384 hash: 535f57dd3c743bac07acf1f1ba39b96e0d44aa11270bf1b21b84758b7aabf14687268d4abf6cacca927c196c4ece8a87
SHA1 hash: 9f6cba62bb7fca540062b6ae63ea7fb511f367f4
MD5 hash: 9320b373f95c240b46b01f814508b48b
humanhash: william-apart-november-harry
File name:SecuriteInfo.com.Trojan.GenericKD.46284216.26505.27691
Download: download sample
Signature CoinMiner
Create hunting rule
File size:98'304 bytes
First seen:2021-05-13 15:08:10 UTC
Last seen:2021-05-14 03:03:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:o5k2jlQtfNyXqLRF6CI/f6W7pE/6AYQrYjCWNEz:ONQtYXERkC09E/60ce
Threatray 64 similar samples on MalwareBazaar
TLSH D1A30916B7965B12C6A91678C1EB483503F2EBC36273D75ABD4443CA0F523E98D8E7C8
Reporter SecuriteInfoCom
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
obf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-13 12:56:51 UTC
Tags:
loader trojan miner
Link:
https://app.any.run/tasks/fab81930-e30b-44e7-b2f9-706c5ede448b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/156249/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46284216.26505.27691.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Launching a process
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Sending a UDP request
Running batch commands
Creating a window
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781139
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
DNS related to crypt mining pools
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 413544 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Antivirus detection for dropped file 2->57 59 12 other signatures 2->59 8 SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exe 15 5 2->8         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 process3 dnsIp4 51 45.144.225.135, 49736, 49742, 80 DEDIPATH-LLCUS Netherlands 8->51 41 C:\Users\user\AppData\Local\Tempzi8.exe, PE32 8->41 dropped 43 SecuriteInfo.com.T...84216.26505.exe.log, ASCII 8->43 dropped 18 Tempzi8.exe 8 8->18         started        file5 process6 file7 35 C:\ProgramData\LKBNMTFJgl\csrss.exe, PE32 18->35 dropped 37 C:\ProgramData\LKBNMTFJgl\csrss, PE32 18->37 dropped 39 C:\ProgramData\LKBNMTFJgl\r.vbs, data 18->39 dropped 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Machine Learning detection for dropped file 18->65 67 6 other signatures 18->67 22 notepad.exe 18->22         started        26 cmd.exe 1 18->26         started        28 FSwtLjaXEZh.exe 18->28 injected signatures8 process9 dnsIp10 47 142.44.243.6, 14444, 49748 OVHFR Canada 22->47 49 xmr-us-east1.nanopool.org 22->49 69 System process connects to network (likely due to code injection or exploit) 22->69 30 wscript.exe 1 26->30         started        33 conhost.exe 26->33         started        signatures11 71 Detected Stratum mining protocol 47->71 process12 file13 45 C:\Users\user\AppData\...\viTRMUuKeV.url, MS 30->45 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29d0e1b77452621e42cf4efe225d0347742e3f6bc8f85ffe26b33ba589c0445c/
Threat name:
Win32.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 06:23:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  4/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhiodn3ukjrb4qwpj37cexidi52c4p3lzd4f77rgwm52lcoairoa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1a26ce3b96b1ccd7af4c8d6f4de0e4b4320535b20895a295e1a96aa009843a71
CoinMiner
1b437ce4268b47520fd7b235482738075e7f7bf07e18512b4bb0e4703ee9e8b9
CoinMiner
53cae19aa470b038966c47f8e7361fde1da99f4f54ea97ab3fb7198506ecbc3d
CoinMiner
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
CoinMiner
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
CoinMiner
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
CoinMiner
a1ab9d199000fa1cc28b8d16fb134eab915c2157e15feba41a669f49e5084421
CoinMiner
cd546894a737663aacacc3c3ebe2ea85c26bd5790a57ede5913355a15deac30f
CoinMiner
ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92
CoinMiner
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
CoinMiner
+ 54 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/210513-sd2qfvjx6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 29d0e1b77452621e42cf4efe225d0347742e3f6bc8f85ffe26b33ba589c0445c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/156249/
  
URLhaus
https://urlhaus.abuse.ch/url/1229698/
  
Delivery method
Distributed via web download

Comments