MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6
SHA3-384 hash: 468fecec955af4818f35826469e356d1c60e9a0651db536ad8fae8faa2c9a256a8a0b351c848ae30f5c6cc840e21cbbb
SHA1 hash: f7484f2591abbb625ba100b9b5cc09b60d6821b2
MD5 hash: 0c88b9ca0568638f1ecac1f26bd4b313
humanhash: xray-mobile-steak-mike
File name:0c88b9ca0568638f1ecac1f26bd4b313.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'024'512 bytes
First seen:2023-04-23 16:20:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:Th/A3m1OSjUbR2e2Lei+3avJr2ZTTwLYbNzsaTO6fqWREdMil7kas8mOf17Gs5Lq:Tq3KOSANKeqp2uYOwsE
Threatray 2'885 similar samples on MalwareBazaar
TLSH T16F25719D3A672DB6DD4E01F2CB513AC95B61C75AAF00E0E62B5346C9B20D1339DCD0AB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://179.43.140.168/DLIMSORRY.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c88b9ca0568638f1ecac1f26bd4b313.exe
Verdict:
Malicious activity
Analysis date:
2023-04-23 16:22:01 UTC
Tags:
miner
Link:
https://app.any.run/tasks/67bf5454-b228-41b4-8fe7-2de6a62038c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.238349.32162.27375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64455aef809528e43aaae44f/reports/7bf1c1b0-ade6-444e-9ae3-897f7aeeda71/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9c084854-18fb-4362-bd18-a84955e1a048
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219459
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852401 Sample: KfG6A72lQ1.exe Startdate: 23/04/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 4 other signatures 2->73 9 KfG6A72lQ1.exe 5 2->9         started        13 LUAAQ.exe 2->13         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 57 C:\ProgramData\ProgrammFile\LUAAQ.exe, PE32+ 9->57 dropped 77 Detected unpacking (changes PE section rights) 9->77 79 Adds a directory exclusion to Windows Defender 9->79 20 cmd.exe 1 9->20         started        23 powershell.exe 18 9->23         started        25 powershell.exe 13->25         started        81 Changes security center settings (notifications, updates, antivirus, firewall) 15->81 27 MpCmdRun.exe 1 15->27         started        59 192.168.2.1 unknown unknown 17->59 83 Query firmware table information (likely to detect VMs) 17->83 file5 signatures6 process7 signatures8 75 Uses schtasks.exe or at.exe to add and modify task schedules 20->75 29 LUAAQ.exe 14 5 20->29         started        33 conhost.exe 20->33         started        35 timeout.exe 1 20->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        process9 dnsIp10 65 179.43.140.168, 49701, 80 PLI-ASCH Panama 29->65 89 Antivirus detection for dropped file 29->89 91 Detected unpacking (changes PE section rights) 29->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->93 95 4 other signatures 29->95 43 vbc.exe 29->43         started        47 cmd.exe 1 29->47         started        49 powershell.exe 29->49         started        signatures11 process12 dnsIp13 61 45.76.89.70, 49702, 5555 AS-CHOOPAUS United States 43->61 63 pool.hashvault.pro 43->63 85 Query firmware table information (likely to detect VMs) 43->85 51 conhost.exe 47->51         started        53 schtasks.exe 1 47->53         started        55 conhost.exe 49->55         started        signatures14 87 Detected Stratum mining protocol 61->87 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 15:23:21 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijis5dq63s3t3ihdwwrueloeohzguoavgtrfr3632q5jejpeblta._file
Verdict:
malicious
Similar samples:
11aabbba0268cf5ad901f11038f6d920671dcd7b4b52f77fd6e53772d606c8fa
CoinMiner
329cd8c9164d92332689228b2c0586d9df13343b12a81be729410d17d38697f1
CoinMiner
635af14d9da60481f1811a34fd34382e6afa72eac2f4b10ae776f9c8560696eb
CoinMiner
bbe151d7c659c41de2f9522507a79dce900a5758d3116be0c4b83a58c5facf77
CoinMiner
c7fedf16eea08eb350ea4c3176d125a01ddaf221552efd1c531315954c3b7d8e
CoinMiner
e1c3e42f794ea8db905580fa5ac184a3d06cba1ab0ac47d6bd686c24fe0b6c99
CoinMiner
fece78aa06612c83dbf398608d6e827053eb21ff3860907b20b298d681974497
CoinMiner
+ 2'875 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230423-ttmt9sgb3v/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6
MD5 hash:
0c88b9ca0568638f1ecac1f26bd4b313
SHA1 hash:
f7484f2591abbb625ba100b9b5cc09b60d6821b2
Link:
https://www.unpac.me/results/ad0b8ee9-0d72-41f0-8a01-e38c17ba1fc7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42512e8e1edc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments