MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb
SHA3-384 hash: cdda2386351d6659c84c919b2e46973ebc0d0b86cc120c2890d4cc0d9cf4559c84dc17da7ada7e8e5ad1708503dcaabc
SHA1 hash: f1abac73efa2ef4fe098b22ba43b1b7ef280f5fe
MD5 hash: 3ab2c790255aaeb328042c08a8ded716
humanhash: lemon-nineteen-helium-vermont
File name:3ab2c790255aaeb328042c08a8ded716
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'997'599 bytes
First seen:2021-10-05 10:14:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (875 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:Rny7oqJvgcH5VopN9htDTi8g2oqA1P7D416odVJ5BUTCnc:JTq3OrtD2L2oqA10p5BgCc
Threatray 1'176 similar samples on MalwareBazaar
TLSH T12896331934D545B3C2362AB22C68DF2621A1B9242F009FD5D3CD1BB9A7713F1EB39762
File icon (PE):PE icon
dhash icon c824b2d9cc63b358 (1 x CoinMiner)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194977/
Detection(s):
Win.Packed.Dorifel-9892630-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/615c2ba2e3d213d202b77142/reports/90c81114-f663-4e9b-9ed9-465787ec8195/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b158912a-1a99-4d3d-93d9-ce8625c46c88
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864676
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497104 Sample: XC59Xztorr Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 92 sanctam.net 185.65.135.234, 49755, 58899 ESAB-ASSE Sweden 2->92 94 pool.hashvault.pro 131.153.56.98, 49760, 80 CWIEUS United States 2->94 96 bitbucket.org 104.192.141.1, 443, 49758 AMAZON-02US United States 2->96 104 Sigma detected: Xmrig 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 System process connects to network (likely due to code injection or exploit) 2->108 110 5 other signatures 2->110 15 XC59Xztorr.exe 8 2->15         started        18 Steam64.exe 2->18         started        21 svchost.exe 2->21         started        signatures3 process4 file5 86 C:\Users\user\AppData\...\token-grabber.exe, PE32+ 15->86 dropped 88 C:\Users\user\AppData\Local\BestSOFT.exe, PE32 15->88 dropped 23 BestSOFT.exe 7 15->23         started        27 token-grabber.exe 24 15->27         started        102 Adds a directory exclusion to Windows Defender 18->102 29 cmd.exe 18->29         started        signatures6 process7 file8 68 C:\Users\user\AppData\...\finalGG.sfx.exe, PE32 23->68 dropped 114 Multi AV Scanner detection for dropped file 23->114 31 finalGG.sfx.exe 8 23->31         started        70 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 27->70 dropped 72 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 27->72 dropped 74 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 27->74 dropped 76 16 other files (none is malicious) 27->76 dropped 34 token-grabber.exe 27->34         started        116 Adds a directory exclusion to Windows Defender 29->116 38 conhost.exe 29->38         started        signatures9 process10 dnsIp11 90 C:\Users\user\AppData\Local\...\finalGG.exe, PE32 31->90 dropped 40 finalGG.exe 8 31->40         started        98 discord.com 162.159.137.232, 443, 49747 CLOUDFLARENETUS United States 34->98 112 Tries to harvest and steal browser information (history, passwords, etc) 34->112 file12 signatures13 process14 file15 78 C:\Users\user\AppData\...\final33.sfx.exe, PE32 40->78 dropped 43 final33.sfx.exe 7 40->43         started        process16 file17 80 C:\Users\user\AppData\Local\final33.exe, PE32 43->80 dropped 46 final33.exe 43->46         started        process18 file19 84 C:\Users\user\AppData\Local\file1.sfx.exe, PE32 46->84 dropped 49 cmd.exe 46->49         started        process20 signatures21 100 Uses ipconfig to lookup or modify the Windows network settings 49->100 52 file1.sfx.exe 49->52         started        55 conhost.exe 49->55         started        57 conhost.exe 49->57         started        59 choice.exe 49->59         started        process22 file23 66 C:\Users\user\AppData\Local\file1.exe, PE32 52->66 dropped 61 file1.exe 52->61         started        process24 file25 82 C:\Users\user\AppData\Roaming\file.sfx.exe, PE32 61->82 dropped 64 cmd.exe 61->64         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 13:48:13 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
24da5509b70608d8228be77f60df8279bf0b5f92f90b143d72a449db3f659ba6
CoinMiner
33a236fd56543bf3915e16cfffb3c6a4b0f92c9ba444744339e3bcc10f285d61
CoinMiner
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
CoinMiner
cae7a9b20d104ac9d8bf84e222f57477bd0e41c00c2f440c83eb37b4f7de0f9b
CoinMiner
cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42
CoinMiner
f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55
CoinMiner
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
CoinMiner
+ 1'166 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner pyinstaller spyware stealer
Link:
https://tria.ge/reports/211005-l984faheh7/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb
MD5 hash:
3ab2c790255aaeb328042c08a8ded716
SHA1 hash:
f1abac73efa2ef4fe098b22ba43b1b7ef280f5fe
Link:
https://www.unpac.me/results/f10d8bd2-a377-4e78-a1c4-6c889f3da304/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 40632f3f01035117faab6039b820848825ff839b472a02f11827784b428ac3eb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194977/
  
URLhaus
https://urlhaus.abuse.ch/url/1655474/

Comments


Avatar
zbet commented on 2021-10-05 10:14:58 UTC

url : hxxps://qddg.zarkada.ru/1906116528.exe