MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
SHA3-384 hash: ca4d961a50409c6ae05633761120bd633710dc6bc71ebd146909ecec0227f525e488c68e89d2fe56b3e2f9dbd8039869
SHA1 hash: 69c53c31295464631a4b644523e33ab941a31389
MD5 hash: b984d80deb9a55764dd0f1762728d375
humanhash: lima-alaska-sodium-snake
File name:b984d80deb9a55764dd0f1762728d375
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'514'901 bytes
First seen:2022-06-17 17:38:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:pYk117EZyi7kg1FxNxwQHu4AOeeLVs4GN041pHC4ucztobtGHd2wGERgW:ukGFCQWOe7N04W49MPTERT
TLSH T10D262301B1D48032E2E677351F20E6705B3A7D907A38C61AA3F85D5BB7BF5836A31762
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 34b4038998000180 (5 x CoinMiner)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281040/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a service
Launching a service
Loading a system driver
Launching a tool to kill processes
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21762/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62acbc20c07f2e38a1532f76/reports/5f23eda4-256d-4c81-91c8-45b7351034e4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b125c434-aa3c-4ddf-a233-cece5b0259f2
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015404
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 647900 Sample: kN6q5LUExs Startdate: 17/06/2022 Architecture: WINDOWS Score: 100 56 soloformin.linkpc.net 2->56 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 Antivirus detection for dropped file 2->66 68 10 other signatures 2->68 11 kN6q5LUExs.exe 3 22 2->11         started        15 svchost.exe 9 1 2->15         started        18 svchost.exe 1 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 46 C:\Users\user\AppData\Roaming\...\wininit.exe, PE32+ 11->46 dropped 48 C:\Users\user\AppData\...\services.exe, PE32 11->48 dropped 50 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 11->50 dropped 52 2 other malicious files 11->52 dropped 92 Sample is not signed and drops a device driver 11->92 94 Drops PE files with benign system names 11->94 22 wscript.exe 1 11->22         started        60 127.0.0.1 unknown unknown 15->60 file6 signatures7 process8 process9 24 cmd.exe 2 22->24         started        process10 26 services.exe 24->26         started        29 AudioClip.exe 24->29         started        32 wscript.exe 24->32         started        34 12 other processes 24->34 file11 80 Antivirus detection for dropped file 26->80 82 Multi AV Scanner detection for dropped file 26->82 84 Machine Learning detection for dropped file 26->84 90 3 other signatures 26->90 36 cvtres.exe 26->36         started        54 C:\Users\user\AppData\...\AudioClip.exe, PE32 29->54 dropped 86 Detected unpacking (overwrites its own PE header) 29->86 88 Drops PE files to the startup folder 29->88 38 cmd.exe 32->38         started        signatures12 process13 process14 40 wininit.exe 38->40         started        44 conhost.exe 38->44         started        dnsIp15 58 updatebss.linkpc.net 64.235.37.55, 3333, 49778 PREMIANETUS United States 40->58 70 Antivirus detection for dropped file 40->70 72 Multi AV Scanner detection for dropped file 40->72 74 Query firmware table information (likely to detect VMs) 40->74 76 Machine Learning detection for dropped file 40->76 signatures16 78 Detected Stratum mining protocol 58->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 06:41:41 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihlpbf3vsdqiyufwsv46k7kp3zivzyqu3fmloafrru3ddc2e4tnq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/220617-v793dsfcg5/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
9844b1d0904c4bbe9ad17fb325a9beadf8d731dea8b92100419aee92cedc6fdd
MD5 hash:
4db6eac9f1cd0fb3bfce3dafdccb9e00
SHA1 hash:
b646e7824bea0e253ee957311296e605dfa5af28
Link:
https://www.unpac.me/results/33df2d5f-80c3-4a81-8507-90eb2a164148/
SH256 hash:
5cdcc543edc61ca41c2688f6e6c4d34de130082843b8e9fc98f82e76ca8cf987
MD5 hash:
d788f3d85fbf82b0be3eef97bf794394
SHA1 hash:
4d06766af550825d7bba89c1e8943d51cfdaa728
Link:
https://www.unpac.me/results/33df2d5f-80c3-4a81-8507-90eb2a164148/
SH256 hash:
c6c9fa85c00f39e65e4c138769d548ffd82a7baa5a999ab4cbf1ee1f03140742
MD5 hash:
3cd4761209f02dea4a09aeaa8e3ff554
SHA1 hash:
a750d5958976661d082d5df133587aa2c5db3f88
Link:
https://www.unpac.me/results/33df2d5f-80c3-4a81-8507-90eb2a164148/
SH256 hash:
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
MD5 hash:
b984d80deb9a55764dd0f1762728d375
SHA1 hash:
69c53c31295464631a4b644523e33ab941a31389
Link:
https://www.unpac.me/results/33df2d5f-80c3-4a81-8507-90eb2a164148/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2242486/
Cape
Cape
https://www.capesandbox.com/analysis/281040/

Comments


Avatar
zbet commented on 2022-06-17 17:38:32 UTC

url : hxxp://web1705.ath.cx/01actfinal4.exe