MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706
SHA3-384 hash: 6e96c8c17657543aa7dc0a507ad51c8cdb62bbbd922f75b49500d60f13f3cd6921d68cec1c7176a3f857021f215428a5
SHA1 hash: 07c5ae44ce8d03215752da0d177be1cee5b26993
MD5 hash: b1881f6380807ea9bac4c3f5bc68428f
humanhash: nebraska-utah-green-july
File name:KMSPico.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'409'671 bytes
First seen:2024-11-29 14:35:45 UTC
Last seen:2024-12-08 13:19:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 196608:lR7cWMp8+baqU6HO5bpnBlnmayviGq+DOCEv8apWz:l9Qp2UHYbp7nmAD+REv8aE
TLSH T164962322F2CBE03EE44E0B3705B6B65494FB7A616827AE4796EC74ACCE350501D3E257
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter 4k95m
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
433
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KMSPico.exe
Verdict:
Malicious activity
Analysis date:
2024-11-29 14:44:22 UTC
Tags:
amsi-bypass
Link:
https://app.any.run/tasks/5ba96b77-c274-404d-b0a2-ca8aaa771499

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.16298.18686.14967.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6749d28ae64d1c722d7a2778
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6749d1698faee89e65c75b86/reports/16962e8b-8e33-445a-988b-49be16376005/overview
Verdict:
Suspicious
Labled as:
Riskware
Link:
https://www.hybrid-analysis.com/sample/2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d240fe93-dc67-4c5e-8f56-2fbbf79c52cb
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1565306
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Disables the Smart Screen filter
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565306 Sample: KMSPico.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 96 108 231.12.13.0.in-addr.arpa 2->108 110 www.google.com 2->110 126 Multi AV Scanner detection for dropped file 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 Detected unpacking (creates a PE file in dynamic memory) 2->130 132 16 other signatures 2->132 12 KMSPico.exe 2 2->12         started        15 AutoPico.exe 2->15         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 106 C:\Users\user\AppData\Local\...\KMSPico.tmp, PE32 12->106 dropped 20 KMSPico.tmp 24 8 12->20         started        112 www.google.com 142.250.181.100 GOOGLEUS United States 15->112 114 8.8.8.8 GOOGLEUS United States 15->114 23 WerFault.exe 15->23         started        116 127.0.0.1 unknown unknown 18->116 file6 process7 file8 84 C:\...\unins000.exe (copy), PE32 20->84 dropped 86 C:\Program Files (x86)\...\is-LI7HD.tmp, PE32 20->86 dropped 88 C:\Program Files (x86)\...\is-9O8OH.tmp, PE32 20->88 dropped 90 4 other files (3 malicious) 20->90 dropped 25 WindowsDefender.exe 1 2 20->25         started        29 KMSpico_setup.exe 2 20->29         started        process9 file10 100 C:\ProgramData\Windows\WindowsDefender.exe, PE32+ 25->100 dropped 102 C:\Windows\System32\drivers\etc\hosts, ASCII 25->102 dropped 134 Modifies the context of a thread in another process (thread injection) 25->134 136 Modifies the hosts file 25->136 138 Adds a directory exclusion to Windows Defender 25->138 140 Modifies power options to not sleep / hibernate 25->140 31 sc.exe 25->31         started        33 powershell.exe 23 25->33         started        36 cmd.exe 25->36         started        41 12 other processes 25->41 104 C:\Users\user\AppData\...\KMSpico_setup.tmp, PE32 29->104 dropped 38 KMSpico_setup.tmp 22 487 29->38         started        signatures11 process12 file13 43 conhost.exe 31->43         started        118 Found suspicious powershell code related to unpacking or dynamic code loading 33->118 120 Loading BitLocker PowerShell Module 33->120 45 conhost.exe 33->45         started        48 WmiPrvSE.exe 33->48         started        58 2 other processes 36->58 92 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 38->92 dropped 94 C:\Windows\System32\is-U8R4K.tmp, PE32 38->94 dropped 96 C:\Windows\System32\is-AGLKR.tmp, PE32 38->96 dropped 98 18 other files (17 malicious) 38->98 dropped 122 Detected unpacking (creates a PE file in dynamic memory) 38->122 124 Disables the Smart Screen filter 38->124 50 cmd.exe 38->50         started        52 KMSELDI.exe 38->52         started        54 cmd.exe 38->54         started        56 UninsHs.exe 38->56         started        60 12 other processes 41->60 signatures14 process15 signatures16 62 powershell.exe 43->62         started        65 lsass.exe 43->65 injected 67 winlogon.exe 43->67 injected 77 5 other processes 43->77 142 Suspicious powershell command line found 45->142 144 Obfuscated command line found 45->144 146 Uses schtasks.exe or at.exe to add and modify task schedules 50->146 69 conhost.exe 50->69         started        71 sc.exe 50->71         started        148 Found direct / indirect Syscall (likely to bypass EDR) 52->148 73 conhost.exe 54->73         started        75 schtasks.exe 54->75         started        process17 signatures18 150 Writes to foreign memory regions 62->150 152 Modifies the context of a thread in another process (thread injection) 62->152 154 Injects a PE file into a foreign processes 62->154 79 dllhost.exe 62->79         started        82 conhost.exe 62->82         started        process19 signatures20 156 Injects code into the Windows Explorer (explorer.exe) 79->156 158 Contains functionality to inject code into remote processes 79->158 160 Writes to foreign memory regions 79->160 162 3 other signatures 79->162
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-12 05:01:25 UTC
File Type:
PE (Exe)
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fynmqxox7g52gskhnomzupinx7umphdqzpb5urykx52schmac4da._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution persistence
Link:
https://tria.ge/reports/241129-ryj8ts1jct/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Power Settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3ce6fe1b-e67c-401c-bc7b-88b1ed8f4e89
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/1c7c5cc9-3771-4257-aa9f-a190323a24bb/
SH256 hash:
a256ae68963d288680177a667159f6ee65a8b467d6c4a6692ac2e12c8083867d
MD5 hash:
37e99101b19cb1054cb0cc5a3a45d43a
SHA1 hash:
21e43c498a487174d59e7fe15594c456bd300dcb
Link:
https://www.unpac.me/results/1c7c5cc9-3771-4257-aa9f-a190323a24bb/
SH256 hash:
e09cb0ebca7a432bdd626966f7e13c8bbee14dbf4ba8802ee20b77a9c91cc9ae
MD5 hash:
24a32064f323db6a399c9b958f807bc1
SHA1 hash:
ff3202ccacce6c96e79315140ee809b8b5ae4321
Link:
https://www.unpac.me/results/1c7c5cc9-3771-4257-aa9f-a190323a24bb/
SH256 hash:
2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706
MD5 hash:
b1881f6380807ea9bac4c3f5bc68428f
SHA1 hash:
07c5ae44ce8d03215752da0d177be1cee5b26993
Link:
https://www.unpac.me/results/1c7c5cc9-3771-4257-aa9f-a190323a24bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2e1ac85dd7f9bba349476b999a3d0dbfe8c79c70cbc3da470abf75211d801706

(this sample)

CoinMiner

Executable exe e492c77d4584e952218e5183b68aacab3cbc0d46ad5a08863daa1ada03aa5443

  
Delivery method
Distributed via web download
  
Dropping
SHA256 e492c77d4584e952218e5183b68aacab3cbc0d46ad5a08863daa1ada03aa5443
  
Dropping
MD5 dc7090e5881a1255e747aa562e6b6a16

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments