MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06
SHA3-384 hash: 8ef8ea33b5289b548edd091501bc33d50cd467f56d3cca6a2519f7e05ec80712689c9ad128086ef6189f54abf0e4e8eb
SHA1 hash: 3304676ed8a238bf792a0fa359708861b3bfd42a
MD5 hash: 5748009f0073ba952cbb581c44530798
humanhash: colorado-london-single-five
File name:SecuriteInfo.com.Trojan.Siggen15.58403.20850.14287
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'637'120 bytes
First seen:2021-12-06 03:13:58 UTC
Last seen:2021-12-06 04:31:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfd2dac39af50555ae9789117b36b66 (19 x CoinMiner, 2 x CoinMiner.XMRig)
ssdeep 49152:nhG7rRjqXz8Cc5psGor99nrunI0CR43tFC4y/4TImNx4Z0UOEOyoqZ1xj0xIB200:
Threatray 376 similar samples on MalwareBazaar
TLSH T1DD4633205FA69EFDCAAC823D706F2F1E1BF15B81949494DF53A734DA329AB00046787D
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen15.58403.20850.14287
Verdict:
No threats detected
Analysis date:
2021-12-06 03:17:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6da9926-a41f-4f9a-9d85-dc48668e5531

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211585/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.58403.20850.14287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  2/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/997/overview
Behaviour
OpenProcessWithPrivileges
CallSleep
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
monero warp
Link:
https://www.filescan.io/uploads/61ad800dfa72c81b5b0db006/reports/72b9df31-9ffd-4567-8780-1bbb76a2381e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9e4b626-8178-4f81-9252-73d4fd0f94d1
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901908
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534386 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected Xmrig cryptocurrency miner 2->88 90 8 other signatures 2->90 9 SecuriteInfo.com.Trojan.Siggen15.58403.20850.exe 6 2->9         started        12 services64.exe 5 2->12         started        15 svchost.exe 2->15         started        process3 file4 62 C:\Users\user\Microsoft\services64.exe, PE32+ 9->62 dropped 64 C:\Users\...\services64.exe:Zone.Identifier, ASCII 9->64 dropped 66 SecuriteInfo.com.T...58403.20850.exe.log, ASCII 9->66 dropped 17 cmd.exe 9->17         started        19 cmd.exe 1 9->19         started        22 cmd.exe 1 9->22         started        68 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 12->68 dropped 102 Multi AV Scanner detection for dropped file 12->102 104 Sample is not signed and drops a device driver 12->104 24 sihost64.exe 12->24         started        26 cmd.exe 12->26         started        106 System process connects to network (likely due to code injection or exploit) 15->106 signatures5 process6 signatures7 28 services64.exe 17->28         started        32 conhost.exe 17->32         started        92 Encrypted powershell cmdline option found 19->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 19->94 34 powershell.exe 20 19->34         started        36 powershell.exe 23 19->36         started        38 conhost.exe 19->38         started        40 conhost.exe 22->40         started        42 schtasks.exe 1 22->42         started        96 Writes to foreign memory regions 24->96 98 Allocates memory in foreign processes 24->98 100 Creates a thread in another existing process (thread injection) 24->100 44 conhost.exe 24->44         started        46 3 other processes 26->46 process8 file9 70 C:\Users\user\AppData\...\sihost64.exe, PE32+ 28->70 dropped 108 Writes to foreign memory regions 28->108 110 Allocates memory in foreign processes 28->110 112 Modifies the context of a thread in another process (thread injection) 28->112 114 Injects a PE file into a foreign processes 28->114 48 sihost64.exe 28->48         started        51 cmd.exe 28->51         started        53 svchost.exe 28->53         started        signatures10 process11 dnsIp12 76 Antivirus detection for dropped file 48->76 78 Multi AV Scanner detection for dropped file 48->78 80 Encrypted powershell cmdline option found 51->80 56 conhost.exe 51->56         started        58 powershell.exe 51->58         started        60 powershell.exe 51->60         started        72 49.12.130.173, 49774, 80 HETZNER-ASDE Germany 53->72 74 pool.hashvault.pro 53->74 82 Query firmware table information (likely to detect VMs) 53->82 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 07:11:49 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
4ff85ed4a6ed753731533acba81fb31b38923cea1eff55ea524b1a7cbc48bc3b
CoinMiner
66b7920243197d2711568e498e3d74ee1da6611cf108e4542f3dee5040ed8fd8
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 366 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211206-drccragae8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06
MD5 hash:
5748009f0073ba952cbb581c44530798
SHA1 hash:
3304676ed8a238bf792a0fa359708861b3bfd42a
Link:
https://www.unpac.me/results/6e0e081f-397c-4d43-af31-05736c21a5d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4535de41278b2d4487e8f51de5851d8623de81e68060fe42d9ecb2cc23c4ed06

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1856884/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211585/

Comments