MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
SHA3-384 hash: 30c42bcc2edd2e4a7e90757470d4216c1664210d570cc258aa891cfefdcce4b5ee548216e70446f4eabf2c050b5f315f
SHA1 hash: b5daed890c606c70fba5d54921018d81d40ea5cc
MD5 hash: f86eef2e0508facf5dbfaff72051e743
humanhash: king-louisiana-hydrogen-oranges
File name:f86eef2e0508facf5dbfaff72051e743.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:73'728 bytes
First seen:2021-12-31 06:34:34 UTC
Last seen:2021-12-31 09:21:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2184d9d3a232034fe754f63f14b273e9 (1 x CoinMiner)
ssdeep 768:R3MuYuJJXY8a59wbYSBoxiKvC9ilC7U1IMnTja7qFGIFZi956zYpg6xsIjC9YzZj:R3Mz8gQuVvSACSjA3IJd0dkgMGfF
Threatray 366 similar samples on MalwareBazaar
TLSH T17A733A00F550D53AF4F740FBE2FB08AE59299FE4434598DB23D0689F6B31AC1AA32597
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f86eef2e0508facf5dbfaff72051e743.exe
Verdict:
Malicious activity
Analysis date:
2021-12-31 06:38:25 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/26b440f9-9569-4e9d-95fe-2f32337f0533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216897/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.21887.17954.26824.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a window
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3545/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
greyware phorpiex
Link:
https://www.filescan.io/uploads/61cea4978991ba72b3a18f1a/reports/01d92a07-5135-486a-8858-534382a89c1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88d49e06-9c80-48b8-a776-cfdcb04fb4a3
Result
Threat name:
BitCoin Miner Phorpiex SilentXMRMiner Xm
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914244
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Phorpiex
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546722 Sample: fl1V8eYAl3.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 114 Sigma detected: Xmrig 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 11 other signatures 2->120 14 fl1V8eYAl3.exe 1 1 2->14         started        18 wincsvns.exe 2->18         started        20 svchost.exe 2->20         started        22 8 other processes 2->22 process3 dnsIp4 96 C:\Windows\wrsmvns.exe, PE32 14->96 dropped 166 Contains functionality to check if Internet connection is working 14->166 168 Drops executables to the windows directory (C:\Windows) and starts them 14->168 170 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->170 172 Contains functionality to detect sleep reduction / modifications 14->172 25 wrsmvns.exe 8 24 14->25         started        174 Writes to foreign memory regions 18->174 176 Allocates memory in foreign processes 18->176 178 Creates a thread in another existing process (thread injection) 18->178 30 conhost.exe 5 18->30         started        32 MpCmdRun.exe 20->32         started        98 127.0.0.1 unknown unknown 22->98 file5 signatures6 process7 dnsIp8 100 185.215.113.84, 49760, 49761, 49766 WHOLESALECONNECTIONSNL Portugal 25->100 102 5.233.37.133, 40500 TCIIR Iran (ISLAMIC Republic Of) 25->102 104 5 other IPs or domains 25->104 86 C:\Users\user\AppData\Local\...\97128436.exe, PE32 25->86 dropped 88 C:\Users\user\AppData\Local\...\855816663.exe, PE32 25->88 dropped 90 C:\Users\user\AppData\...\2936124479.exe, PE32 25->90 dropped 94 2 other files (1 malicious) 25->94 dropped 144 Antivirus detection for dropped file 25->144 146 Contains functionality to check if Internet connection is working 25->146 148 Changes security center settings (notifications, updates, antivirus, firewall) 25->148 158 3 other signatures 25->158 34 1335532111.exe 15 25->34         started        38 2936124479.exe 13 25->38         started        40 855816663.exe 13 25->40         started        42 97128436.exe 25->42         started        92 C:\Users\user\AppData\...\sihost64.exe, PE32+ 30->92 dropped 150 Writes to foreign memory regions 30->150 152 Modifies the context of a thread in another process (thread injection) 30->152 154 Injects a PE file into a foreign processes 30->154 44 svchost.exe 30->44         started        46 conhost.exe 32->46         started        file9 156 Detected Stratum mining protocol 100->156 signatures10 process11 file12 78 C:\Users\user\AppData\Local\Temp\31455.exe, PE32+ 34->78 dropped 80 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 34->80 dropped 122 Antivirus detection for dropped file 34->122 124 Multi AV Scanner detection for dropped file 34->124 126 Machine Learning detection for dropped file 34->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->128 48 31455.exe 34->48         started        130 Query firmware table information (likely to detect VMs) 44->130 signatures13 process14 signatures15 106 Multi AV Scanner detection for dropped file 48->106 108 Writes to foreign memory regions 48->108 110 Allocates memory in foreign processes 48->110 112 Creates a thread in another existing process (thread injection) 48->112 51 conhost.exe 4 48->51         started        process16 file17 82 C:\Users\user\wincsvns.exe, PE32+ 51->82 dropped 132 Drops PE files to the user root directory 51->132 55 cmd.exe 1 51->55         started        57 cmd.exe 1 51->57         started        signatures18 process19 signatures20 60 wincsvns.exe 55->60         started        63 conhost.exe 55->63         started        136 Uses schtasks.exe or at.exe to add and modify task schedules 57->136 65 conhost.exe 57->65         started        67 schtasks.exe 1 57->67         started        process21 signatures22 160 Writes to foreign memory regions 60->160 162 Allocates memory in foreign processes 60->162 164 Creates a thread in another existing process (thread injection) 60->164 69 conhost.exe 60->69         started        process23 file24 84 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 69->84 dropped 134 Sample is not signed and drops a device driver 69->134 73 sihost64.exe 69->73         started        signatures25 process26 signatures27 138 Writes to foreign memory regions 73->138 140 Allocates memory in foreign processes 73->140 142 Creates a thread in another existing process (thread injection) 73->142 76 conhost.exe 73->76         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2/
Threat name:
Win32.Trojan.FWDisable
Create hunting rule
Status:
Malicious
First seen:
2021-12-30 10:50:36 UTC
File Type:
PE (Exe)
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdxonzho3nzjdye422gt75hrmcg7p62trpuanv4futuzzn32twra._file
Verdict:
malicious
Similar samples:
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
+ 356 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence suricata trojan
Link:
https://tria.ge/reports/211231-hcea1sfbdq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Windows security bypass
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Unpacked files
SH256 hash:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
MD5 hash:
f86eef2e0508facf5dbfaff72051e743
SHA1 hash:
b5daed890c606c70fba5d54921018d81d40ea5cc
Link:
https://www.unpac.me/results/dd2ca8b6-de21-410f-9cb4-66d581921678/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/48eee6e4eedb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216897/

Comments