MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
SHA3-384 hash: edd4d9d91d358e974481b715620870e73cb7a2dfce051d7837039f19bc975898aca5d719ddc88588afe31584f78f7695
SHA1 hash: 56a96ad7c487905416948a8383f2d6599af1f74c
MD5 hash: 2314ada26bcd49478dcb6e48833cec68
humanhash: jig-carolina-may-red
File name:2314ada26bcd49478dcb6e48833cec68.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'165'632 bytes
First seen:2022-03-03 08:59:10 UTC
Last seen:2022-03-18 05:08:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 67 x LummaStealer, 61 x Rhadamanthys)
ssdeep 98304:LaM3xcbKXCunllSI6a8EOHRJb7KwmJHJsQwnso:Lakx4Kdnlwpa/OHDaBJHW9v
Threatray 28 similar samples on MalwareBazaar
TLSH T1E016331A61D96871F4B663B538F042A333B1355453ABAFFB429988B91B32CD05639FC3
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246801/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8006/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/647aeab0-b101-455f-9b2d-dbf62d4e9ce0
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949838
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicius Schtasks From Env Var Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582355 Sample: ZHiXNzkTD0.exe Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected SilentXMRMiner 2->65 67 7 other signatures 2->67 9 ZHiXNzkTD0.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        process3 file4 57 C:\Users\user\AppData\Local\Temp\...\ycjj.exe, PE32+ 9->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\mhxh.exe, PE32+ 9->59 dropped 14 ycjj.exe 9->14         started        17 mhxh.exe 9->17         started        process5 signatures6 81 Antivirus detection for dropped file 14->81 83 Multi AV Scanner detection for dropped file 14->83 85 Writes to foreign memory regions 14->85 19 conhost.exe 3 14->19         started        87 Allocates memory in foreign processes 17->87 89 Creates a thread in another existing process (thread injection) 17->89 21 conhost.exe 8 17->21         started        process7 file8 24 sihost64.exe 19->24         started        27 cmd.exe 19->27         started        29 cmd.exe 19->29         started        55 C:\Users\user\AppData\...\sihost64.exe, PE32+ 21->55 dropped 31 cmd.exe 1 21->31         started        33 sihost64.exe 21->33         started        35 cmd.exe 21->35         started        process9 signatures10 69 Writes to foreign memory regions 24->69 71 Allocates memory in foreign processes 24->71 73 Creates a thread in another existing process (thread injection) 24->73 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 powershell.exe 27->41         started        43 powershell.exe 27->43         started        51 2 other processes 29->51 75 Encrypted powershell cmdline option found 31->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 31->77 45 powershell.exe 24 31->45         started        47 powershell.exe 17 31->47         started        49 conhost.exe 31->49         started        79 Antivirus detection for dropped file 33->79 53 2 other processes 35->53 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497/
Threat name:
Win64.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 09:00:21 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5
CoinMiner
1660fa277deb0f1afcd706189ecca08930050458121c2a2f42f2dcdeb1cf9c29
CoinMiner
18205615390b3e8e007e8c0d7016978c268697f39ad0f7f2f441fedaf1c01237
CoinMiner
374ec0de5ab31bc54adc80e494194f0070a78839701d19b73b27ca605f05c768
CoinMiner
7e1624df0ec310b2766bd7a9a98f05ef1ed576f0f7e0699aee3ecc35ddb03c12
CoinMiner
7f94c21c8bb8b634df7616ec35572439237604fae7e049e1fad38403955996b9
CoinMiner
944b430ea906d74d8d8a8d2d487696f48e5d427e3ae8ee493dddebb3660ae766
CoinMiner
9ba99ef6e07d224b950b451c6e414e9c12ef7429d8e59d5cd841ffbc3c5369ec
CoinMiner
b03f5bd449dbd6441f14720cd78dc280580a998842675cec12b7d1a840c67932
CoinMiner
c9c79f349ba263858347e2a724368d31fb0a43542bb222c0e36d55198fbf7bfe
CoinMiner
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220303-kyb4wsaba2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
MD5 hash:
2314ada26bcd49478dcb6e48833cec68
SHA1 hash:
56a96ad7c487905416948a8383f2d6599af1f74c
Link:
https://www.unpac.me/results/0c2fe595-3cfc-4775-b349-20b489b42c84/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/436b57eb4ebf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/246801/
  
URLhaus
https://urlhaus.abuse.ch/url/2072425/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072733/
  
URLhaus
https://urlhaus.abuse.ch/url/2073320/

Comments