MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412
SHA3-384 hash: 702902f029972128a87a6c60ee83513b93495310f1c7959e1af22bc607b7497ffb6ac330d591d2e94b040e64a4483c44
SHA1 hash: 5d113feccaf88956be8e0d917f1ea7dd5bb54377
MD5 hash: 8e7189bc1559c135c28ccfbbb57b8332
humanhash: echo-iowa-jig-lactose
File name:60668405.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'631'654 bytes
First seen:2022-03-19 04:55:30 UTC
Last seen:2022-03-19 06:43:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31023d5744de3370464ffe7b77a57d1d (2 x CoinMiner)
ssdeep 98304:LZ97cdM6kVunOON+b/ROdw758l0SG04Ip5NJVWgdFb+rS3vY:F9uM6kQt+8CSGbCnZb+9
Threatray 2'052 similar samples on MalwareBazaar
TLSH T17446336BEB133D45CA7788B44F2C06978482030B9DDD9D9AED8E918F27296E37903D17
Reporter adm1n_usa32
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252877/
Detection(s):
SecuriteInfo.com.Variant.Midie.101505.16483.13243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/62356267b94fb38cb4aa33a7/reports/7f1808ac-6777-4a8a-b275-ad1f59784899/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21c31136-8c09-451b-aa98-be1fb892fbad
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960059
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: File Created with System Process Name
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592542 Sample: 60668405.exe Startdate: 19/03/2022 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 6 other signatures 2->61 11 60668405.exe 2->11         started        14 services.exe 2->14         started        process3 signatures4 71 Query firmware table information (likely to detect VMs) 11->71 73 Writes to foreign memory regions 11->73 75 Allocates memory in foreign processes 11->75 83 3 other signatures 11->83 16 conhost.exe 6 11->16         started        77 Antivirus detection for dropped file 14->77 79 Multi AV Scanner detection for dropped file 14->79 81 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->81 20 conhost.exe 2 14->20         started        process5 file6 45 C:\Users\user\AppData\...\services.exe, PE32+ 16->45 dropped 47 C:\Users\...\services.exe:Zone.Identifier, ASCII 16->47 dropped 53 Drops PE files with benign system names 16->53 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        signatures7 process8 signatures9 27 services.exe 22->27         started        30 conhost.exe 22->30         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 24->65 32 conhost.exe 24->32         started        34 schtasks.exe 1 24->34         started        process10 signatures11 85 Query firmware table information (likely to detect VMs) 27->85 87 Writes to foreign memory regions 27->87 89 Allocates memory in foreign processes 27->89 91 3 other signatures 27->91 36 conhost.exe 7 27->36         started        process12 file13 49 C:\Users\user\AppData\...\sihost64.exe, PE32+ 36->49 dropped 51 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 36->51 dropped 63 Sample is not signed and drops a device driver 36->63 40 sihost64.exe 36->40         started        signatures14 process15 signatures16 67 Antivirus detection for dropped file 40->67 69 Multi AV Scanner detection for dropped file 40->69 43 conhost.exe 40->43         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412/
Threat name:
Win64.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 14:37:50 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 27 (85.19%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0228149fc99d9323a5f2cfe773e1fac2652c043b1e591d4270472b08df7d85e8
CoinMiner
35d04737f87fbd1cb97d05dda7d795b419ddc767131034a0d00193b8f68f3330
CoinMiner
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
CoinMiner
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
CoinMiner
5ddc2cf610e2d96fd8c46286bf28c201d3435f2e848302657376ff6feace226b
CoinMiner
60a79ee81b8cddb7dd3dfce0855e2eb6597540fd33249ac41c381f5787f17ef8
CoinMiner
829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478
CoinMiner
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
CoinMiner
d63c19155af0a329cd61cd832d7c4d2d5bbcb61067ea764283b664605979864f
CoinMiner
+ 2'042 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/220319-fkp2dacac8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412
MD5 hash:
8e7189bc1559c135c28ccfbbb57b8332
SHA1 hash:
5d113feccaf88956be8e0d917f1ea7dd5bb54377
Link:
https://www.unpac.me/results/a347c257-941f-4f96-98dc-e3aef1ac1e24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072770/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072854/
  
URLhaus
https://urlhaus.abuse.ch/url/2072972/
  
URLhaus
https://urlhaus.abuse.ch/url/2073158/
Cape
Cape
https://www.capesandbox.com/analysis/252877/

Comments