MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments

SHA256 hash:	4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb
SHA3-384 hash:	9f43bd95f4b4edd5a9b9138d8a436681c132319dc630aaff2527ea51f76557f4759a507ec166d6a2c7caec419d90b143
SHA1 hash:	56801fd01ae41779b159a0a295e59c243a9f955c
MD5 hash:	a462d04e3c550d9e2f759b9dd82f2d45
humanhash:	idaho-butter-one-ten
File name:	runing.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	5'412'352 bytes
First seen:	2024-01-13 00:57:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e3e4d2cfd6226981f42ae1c2abe7b12 (2 x CoinMiner)
ssdeep	98304:4iX2isksvJauI4D1ckKOpLryp1JAX+uI2+lQomLWtYmpi6Quao7bbeC6q:bskxp7M+B2QHmbmpi6/p3eC6q
TLSH	T179469D56B2A501E8C8BAC07C86479917F7F2B81543B0ABEF17B452690F27BD15E3EB10
TrID	72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.EXE) OS/2 Executable (generic) (2029/13) 2.5% (.EXE) Generic Win/DOS Executable (2002/3)
dhash icon	f8e4b4d959d6c678 (33 x CoinMiner)
Reporter	adm1n_usa32
Tags:	CoinMiner exe XMRIG

Intelligence

File Origin

# of uploads :

# of downloads :

350

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://www.gamexeasy.site

Verdict:

Malicious activity

Analysis date:

2023-10-05 20:50:19 UTC

Tags:

lumma stealer loader

Link:

https://app.any.run/tasks/e4258136-42d7-40fd-8348-855669f90e78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CoinMiner02

Link:

https://www.capesandbox.com/analysis/470612/

Detection(s):

Win.Coinminer.Generic-7151250-0

Win.Coinminer.Generic-7151253-0

Win.Coinminer.Generic-7151447-0

Win.Coinminer.Generic-7151972-0

Win.Coinminer.Generic-7155777-0

Win.Coinminer.Generic-7158858-0

Win.Trojan.Coinminer-9866537-0

Multios.Coinminer.Miner-6781728-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug coinminer crypto greyware miner monero pup virus xmrig

Link:

https://www.filescan.io/uploads/65a1e01b94d1aebfb29c2a35/reports/e4e37512-3fc7-4809-af16-14ba10bf2469/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f404768a-62ae-40ae-bd96-fa0516598da0

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

mine

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1374093

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb/

Threat name:

Win64.Coinminer.Malxmr

Status:

Malicious

First seen:

2023-07-03 15:58:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jzgg7hwbrcxxi6gjcea6e5thj4ufjk6gjqg4qpebvwg3o4etss5q._file

Verdict:

malicious

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/240113-bbg7yshfh4/

Unpacked files

SH256 hash:

4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb

MD5 hash:

a462d04e3c550d9e2f759b9dd82f2d45

SHA1 hash:

56801fd01ae41779b159a0a295e59c243a9f955c

Detections:

XMRig

PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20

MALWARE_Win_CoinMiner02

XMRIG_Monero_Miner

MAL_XMR_Miner_May19_1

Link:

https://www.unpac.me/results/02c6cf6d-b06e-4edd-837b-5d6dcca53fe2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e4c6f9ec188af7478c91101e276674f2854abc64c0dc83c81ad8db7709394bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MacOS_Cryptominer_Generic_333129b7 Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects XMRIG crypto coin miners
Reference:	https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

Rule name:	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA Create hunting rule
Author:	Florian Roth
Description:	Detects XMRIG crypto coin miners
Reference:	https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/470612/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample