MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419
SHA3-384 hash: bd70d186f9806a9a7af155038c1fecd3a5ca4102ba6f30824d4bb6651860d045f556c5ff0a65d4062412c9c522096d48
SHA1 hash: d7b1a913065811764a864aabfaf0ed347b4b38c5
MD5 hash: 7b098b4ef567a0bb0782023906f09d8e
humanhash: may-arkansas-papa-nebraska
File name:7b098b4ef567a0bb0782023906f09d8e
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'607'557 bytes
First seen:2022-06-30 21:22:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:pYk1177Zyi7kg1FxNxwQHu4AOeeLVs4GN041pHC4ucztobtGHd2wGERg+Z:3kGFCQWOe7N04W49MPTER9
Threatray 1'848 similar samples on MalwareBazaar
TLSH T156262301A1D44032E2E677341F21E7705B3A7D907A38C61AA3F85D5BBBBF6836931762
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 34b4038998000180 (5 x CoinMiner)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284677/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Launching a tool to kill processes
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23144/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
coinminer greyware houdini overlay packed setupapi.dll shdocvw.dll shell32.dll zusy
Link:
https://www.filescan.io/uploads/62be143982a67b6740e330f6/reports/e941b06a-bcd8-410f-9b6c-6079c7b678a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e29f0590-310b-419d-bdfa-17723c053438
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022840
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Drops VBS files to the startup folder
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 655335 Sample: 7teZvNLUmm Startdate: 30/06/2022 Architecture: WINDOWS Score: 100 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 Antivirus detection for dropped file 2->97 99 9 other signatures 2->99 10 7teZvNLUmm.exe 3 30 2->10         started        14 services.exe 3 2->14         started        16 wscript.exe 2->16         started        18 AudioClip.exe 2->18         started        process3 file4 73 C:\Users\user\AppData\Roaming\...\wininit.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...\services.exe, PE32 10->75 dropped 77 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 10->77 dropped 79 3 other malicious files 10->79 dropped 139 Sample is not signed and drops a device driver 10->139 141 Drops PE files with benign system names 10->141 20 wscript.exe 1 10->20         started        143 Antivirus detection for dropped file 14->143 145 Multi AV Scanner detection for dropped file 14->145 147 Machine Learning detection for dropped file 14->147 149 4 other signatures 14->149 23 cvtres.exe 14->23         started        27 cmd.exe 16->27         started        signatures5 process6 dnsIp7 101 Drops VBS files to the startup folder 20->101 29 cmd.exe 2 20->29         started        81 soloformin.linkpc.net 216.108.230.28, 49768, 80 PREMIANETUS United States 23->81 63 C:\ProgramData\...\svhproxy.exe (copy), PE32 23->63 dropped 65 C:\ProgramData\eWTBqYYAek\svhproxy, PE32 23->65 dropped 103 Writes to foreign memory regions 23->103 105 Allocates memory in foreign processes 23->105 107 Modifies the context of a thread in another process (thread injection) 23->107 109 Injects a PE file into a foreign processes 23->109 31 notepad.exe 23->31         started        35 cmd.exe 23->35         started        37 wininit.exe 27->37         started        39 conhost.exe 27->39         started        file8 signatures9 process10 dnsIp11 41 AudioClip.exe 29->41         started        45 wscript.exe 29->45         started        47 services.exe 29->47         started        51 15 other processes 29->51 85 200.83.148.79, 32640, 3333 VTRBANDAANCHASACL Chile 31->85 89 System process connects to network (likely due to code injection or exploit) 31->89 49 conhost.exe 35->49         started        87 updatebss.linkpc.net 37->87 91 Query firmware table information (likely to detect VMs) 37->91 signatures12 process13 file14 67 C:\Users\user\AppData\...\AudioClip.exe, PE32 41->67 dropped 111 Antivirus detection for dropped file 41->111 113 Multi AV Scanner detection for dropped file 41->113 115 Detected unpacking (overwrites its own PE header) 41->115 129 2 other signatures 41->129 53 cmd.exe 45->53         started        117 Writes to foreign memory regions 47->117 119 Allocates memory in foreign processes 47->119 121 Sample uses process hollowing technique 47->121 123 Injects a PE file into a foreign processes 47->123 55 cvtres.exe 47->55         started        69 C:\Users\user\AppData\...\Replace32640.vbs, data 51->69 dropped 71 C:\Users\user\AppData\...\Replace32640.vbs, data 51->71 dropped 125 Windows Shell Script Host drops VBS files 51->125 127 Creates multiple autostart registry keys 51->127 signatures15 process16 process17 57 wininit.exe 53->57         started        61 conhost.exe 53->61         started        dnsIp18 83 updatebss.linkpc.net 64.235.37.55, 3333, 49765, 49772 PREMIANETUS United States 57->83 131 Antivirus detection for dropped file 57->131 133 Multi AV Scanner detection for dropped file 57->133 135 Query firmware table information (likely to detect VMs) 57->135 137 Machine Learning detection for dropped file 57->137 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 06:05:27 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kb3uyu6odaruunqorbeoksqokbdi4am3oq2sverion75jbqm6qmq._file
Verdict:
malicious
Similar samples:
03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd
CoinMiner
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
CoinMiner
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
CoinMiner
4549d36771e2a7b7425b3853a4fcd6a80a926a36df36eec0942199f9aa3d2be7
CoinMiner
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
CoinMiner
8c0429806e000a09e006beb89f6d438c458b565e500980a0301fda4f817922e1
CoinMiner
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
CoinMiner
dca75ab5314cd4b2e9a5afa203862991c02ee5b2ed16b6a5b9667bc3a1a704eb
CoinMiner
+ 1'838 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence spyware stealer upx
Link:
https://tria.ge/reports/220630-z8fmdsbcfm/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
9844b1d0904c4bbe9ad17fb325a9beadf8d731dea8b92100419aee92cedc6fdd
MD5 hash:
4db6eac9f1cd0fb3bfce3dafdccb9e00
SHA1 hash:
b646e7824bea0e253ee957311296e605dfa5af28
Link:
https://www.unpac.me/results/064cd7ab-0747-4ed9-b54a-89f163e53d23/
SH256 hash:
5cdcc543edc61ca41c2688f6e6c4d34de130082843b8e9fc98f82e76ca8cf987
MD5 hash:
d788f3d85fbf82b0be3eef97bf794394
SHA1 hash:
4d06766af550825d7bba89c1e8943d51cfdaa728
Link:
https://www.unpac.me/results/064cd7ab-0747-4ed9-b54a-89f163e53d23/
SH256 hash:
c6c9fa85c00f39e65e4c138769d548ffd82a7baa5a999ab4cbf1ee1f03140742
MD5 hash:
3cd4761209f02dea4a09aeaa8e3ff554
SHA1 hash:
a750d5958976661d082d5df133587aa2c5db3f88
Link:
https://www.unpac.me/results/064cd7ab-0747-4ed9-b54a-89f163e53d23/
SH256 hash:
50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419
MD5 hash:
7b098b4ef567a0bb0782023906f09d8e
SHA1 hash:
d7b1a913065811764a864aabfaf0ed347b4b38c5
Link:
https://www.unpac.me/results/064cd7ab-0747-4ed9-b54a-89f163e53d23/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50774c53ce18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2252821/
Cape
Cape
https://www.capesandbox.com/analysis/284677/

Comments


Avatar
zbet commented on 2022-06-30 21:23:02 UTC

url : hxxp://soloformin.linkpc.net/01actfinal8.exe