MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567
SHA3-384 hash: e44f0219c9ba80edeb20558669b3dc6067a57e38432560b44dd193c5a8d623df90dd3706adb9be5cfb0ed93236ca1211
SHA1 hash: 66bea30f551222829635b052d6fb6daeaead4806
MD5 hash: 7457c0cd3606bf3b8ce4c7b370778e87
humanhash: mike-zebra-river-fruit
File name:GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'554'552 bytes
First seen:2023-01-06 05:23:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 074b8de7b62de75b5f28b66c7909b97c (6 x CoinMiner)
ssdeep 98304:WPIij6DBehDVU4hTl4JHRLmBbEnririBJ3VjFuZytHT:WPIoTXhZ8iEGSDu0tT
TLSH T11C4612ED62443368C016C838D033BE55E2B6851E16F9D5AF72DB76D07BBB420DA06F4A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter r3dbU7z
Tags:CoinMiner exe miner

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 05:26:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cc8719a2-b5ba-449b-8e85-b589fc67a252

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349870/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Replacing files
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
n/a  -.1/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/63b7b076fc9525ae8a44e653/reports/bf9a0e9a-216a-440f-a636-30630f92a184/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ff068914-86ec-4101-bed5-a1344b9bfeb5
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146041
Signature
Antivirus detection for dropped file
DNS related to crypt mining pools
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778773 Sample: GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 6 WinUpdate.exe 5 2->6         started        10 GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exe 3 2->10         started        12 powershell.exe 31 2->12         started        14 6 other processes 2->14 process3 file4 32 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 6->32 dropped 34 C:\Users\user\AppData\Local\...\iwgqhvtt.tmp, PE32+ 6->34 dropped 54 Multi AV Scanner detection for dropped file 6->54 56 Very long command line found 6->56 58 Writes to foreign memory regions 6->58 64 4 other signatures 6->64 16 svchost.exe 6->16         started        20 conhost.exe 6->20         started        36 C:\Users\user\AppData\...\WinUpdate.exe, PE32+ 10->36 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 12->62 22 conhost.exe 12->22         started        24 WMIC.exe 1 14->24         started        26 conhost.exe 14->26         started        28 conhost.exe 14->28         started        30 5 other processes 14->30 signatures5 process6 dnsIp7 38 51.15.78.68, 14433, 49698 OnlineSASFR France 16->38 40 xmr-eu1.nanopool.org 16->40 42 System process connects to network (likely due to code injection or exploit) 16->42 44 Query firmware table information (likely to detect VMs) 16->44 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-12-27 16:43:18 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icmvaglffbrtip422noor42rt2cfe36yae73qxsizqiwoxrpwvtq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230106-f3qevshh3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73b52894-573c-4fb9-a97c-9f9ace970bc8
Unpacked files
SH256 hash:
40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567
MD5 hash:
7457c0cd3606bf3b8ce4c7b370778e87
SHA1 hash:
66bea30f551222829635b052d6fb6daeaead4806
Link:
https://www.unpac.me/results/a94b3d2e-144e-47a1-8de1-beeac0b7fd49/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/409950196528/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 40995019652863343f9ad35ce8f3519e84526fd8013fb85e48cc11675e2fb567

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349870/

Comments