MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
SHA3-384 hash: 98d05f873402889ad9ac70da5a83f039aec34d1f2ebc9a9fbc533a8be2e037a636561063ddf79cb0cf9595025f69885e
SHA1 hash: e62cad315cce3c9169b4fae51be5a6e6e47a3b6a
MD5 hash: 557a309f6258e17df2309221b980b4e4
humanhash: maine-utah-nebraska-finch
File name:lib64.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'155'480 bytes
First seen:2022-12-07 05:36:37 UTC
Last seen:2022-12-07 08:33:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 49152:IcZSQBj9SKI6YfFprzT/tUllii+CYJItXkDmWeDQ1kB+p:ICnAf7In+CYOpYQc
Threatray 25 similar samples on MalwareBazaar
TLSH T18EA523E5196684ACD1518D3EA9A75B72E941F1281CCC7B3E43C5C1BBEE40F982E0C6DB
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:CoinMiner exe github-com-alibaba2044 XMRIG

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lib64.exe
Verdict:
No threats detected
Analysis date:
2022-12-07 05:37:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f6d553e-f6d8-44e7-8b2f-292ad90a59a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343714/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.13712.28696.15244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/639026809a505ad9423dc919/reports/760bee75-7cf5-4db8-ac77-bd62cab0c83c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41c40710-599d-465d-a270-7c01b2864d02
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129607
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762331 Sample: lib64.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 7 other signatures 2->53 7 updater.exe 3 2->7         started        11 cmd.exe 1 2->11         started        13 lib64.exe 3 2->13         started        15 18 other processes 2->15 process3 file4 38 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 7->38 dropped 40 C:\Users\user\AppData\Local\...\kqdxtsfy.tmp, PE32+ 7->40 dropped 55 Antivirus detection for dropped file 7->55 57 Multi AV Scanner detection for dropped file 7->57 59 Writes to foreign memory regions 7->59 73 4 other signatures 7->73 17 conhost.exe 7->17         started        20 conhost.exe 1 7->20         started        61 Uses powercfg.exe to modify the power settings 11->61 63 Modifies power options to not sleep / hibernate 11->63 22 conhost.exe 11->22         started        24 powercfg.exe 1 11->24         started        32 3 other processes 11->32 42 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 13->42 dropped 65 Self deletion via cmd or bat file 13->65 67 Query firmware table information (likely to detect VMs) 15->67 69 Changes security center settings (notifications, updates, antivirus, firewall) 15->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 15->71 26 MpCmdRun.exe 15->26         started        28 WMIC.exe 1 15->28         started        30 conhost.exe 15->30         started        34 15 other processes 15->34 signatures5 process6 dnsIp7 44 216.224.114.154, 22554, 49698, 49699 BCPL-SGBGPNETGlobalASNSG United States 17->44 36 conhost.exe 26->36         started        signatures8 75 Detected Stratum mining protocol 44->75 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 17:41:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icdsjgzsxsa7nxzzuwd2zvk3b4gplgst2fhxgsqfrbx7hyn5vkra._file
Verdict:
malicious
Similar samples:
12f308243fe099acdb7718428e027aa77846efa6f18e6cf8235daaadcb46ed1f
CoinMiner
4b56d0b0c8c52803bf7c21587bd98a16f73f0d6ed4e4153eee1964533ac394ee
CoinMiner
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5
CoinMiner
554205366ff07e0fa59789cbf9ba72e1d1966d9d3d1889154408b9c0b4dbd861
CoinMiner
68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc
CoinMiner
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
CoinMiner
b2f930118a0446e664ce121628a1897dbb62e04ccbf8df07cdf24230f4393b28
CoinMiner
e249064e0227b91181a4cc52d2af88b56d10a01cafea2a4962dca3155f0a37d2
CoinMiner
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
CoinMiner
+ 15 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/221207-ga56aacd91/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0644d041-dda3-4756-93d1-3d5c098f94cd
Unpacked files
SH256 hash:
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
MD5 hash:
557a309f6258e17df2309221b980b4e4
SHA1 hash:
e62cad315cce3c9169b4fae51be5a6e6e47a3b6a
Link:
https://www.unpac.me/results/082f5a3a-2c29-48a5-8772-86b03f20cfa0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343714/

Comments