MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
SHA3-384 hash: 149eabd153597ccb1b0ea085f77f881378568cb57dd754b9555f6024d859509f7074019cc051e562fdebe52bbfc18ab6
SHA1 hash: 836c3f3b4b8f02e495703767b6bf923c453dba36
MD5 hash: 3fb477ee2214bf2d4ed7df2d23f159e8
humanhash: yankee-tennessee-alpha-friend
File name:3fb477ee2214bf2d4ed7df2d23f159e8
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'980'672 bytes
First seen:2024-10-07 22:18:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7505c167603909b7180406402fef19e (36 x CoinMiner, 3 x PripyatMiner)
ssdeep 98304:Q/PrJHt+UOW/6U0GEkZqBq+2fxF2FZrejHPTu+8:QnrRkU0CZqBna2FZrIHid
Threatray 346 similar samples on MalwareBazaar
TLSH T14E56DFCAF163056CD11C26BF98F9AE1ACD7BE51A0811EAE8732552F2D1134DCC4689FE
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3fb477ee2214bf2d4ed7df2d23f159e8
Verdict:
Malicious activity
Analysis date:
2024-10-07 22:22:02 UTC
Tags:
miner
Link:
https://app.any.run/tasks/ce7433be-12e8-4329-865f-3cb074e05f0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Tedy-10005655-0
Create hunting rule

Win.Packed.Whisperer-10034639-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67045e58a69182ddbe5ccd2f
Tags:
Cobalt Xmrig
Verdict:
Malicious
Labled as:
Whisperer.1.Generic
Link:
https://www.hybrid-analysis.com/sample/508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d197814-3203-4a15-9bca-aab15bafa46d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528506
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528506 Sample: ylVAEHbMLf.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 14 other signatures 2->73 10 ylVAEHbMLf.exe 4 2->10         started        14 powershell.exe 37 2->14         started        16 powershell.exe 23 2->16         started        18 2 other processes 2->18 process3 file4 59 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 10->59 dropped 61 C:\Users\user\AppData\...\yfiogronfirx.tmp, PE32+ 10->61 dropped 87 Suspicious powershell command line found 10->87 89 Writes to foreign memory regions 10->89 91 Modifies the context of a thread in another process (thread injection) 10->91 95 4 other signatures 10->95 20 dialer.exe 1 10->20         started        93 Loading BitLocker PowerShell Module 14->93 23 conhost.exe 14->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        signatures5 process6 signatures7 79 Contains functionality to inject code into remote processes 20->79 81 Writes to foreign memory regions 20->81 83 Allocates memory in foreign processes 20->83 85 3 other signatures 20->85 33 svchost.exe 20->33 injected 35 lsass.exe 6 20->35 injected 38 dwm.exe 20->38 injected 42 15 other processes 20->42 40 conhost.exe 27->40         started        process8 signatures9 44 updater.exe 5 33->44         started        75 Installs new ROOT certificates 35->75 77 Writes to foreign memory regions 35->77 process10 signatures11 97 Antivirus detection for dropped file 44->97 99 Multi AV Scanner detection for dropped file 44->99 101 Suspicious powershell command line found 44->101 103 9 other signatures 44->103 47 dialer.exe 44->47         started        process12 signatures13 105 Injects code into the Windows Explorer (explorer.exe) 47->105 107 Writes to foreign memory regions 47->107 109 Allocates memory in foreign processes 47->109 111 2 other signatures 47->111 50 svchost.exe 47->50 injected 53 svchost.exe 47->53 injected 55 svchost.exe 47->55 injected 57 11 other processes 47->57 process14 dnsIp15 63 192.168.2.5 unknown unknown 50->63 65 192.168.2.7 unknown unknown 50->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291/
Threat name:
Win64.Trojan.Whisperer
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 22:19:05 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kceccve5wmzuztgw2sjoc6zjgq7kluf5uazxsgemba7iyiqxykiq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
r77_core
Create hunting rule
Similar samples:
1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715
CoinMiner
24a2bad96c6e3e00fbf94ba4206cca7ed77d63bc37287a72a151dfcc4339af55
CoinMiner
369147350ac3d138f942319a118713d1ce6d77dbec87986def4016d88f16cb48
CoinMiner
508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
CoinMiner
5318af28d1b77df7a83165a90420fa200405c632e870423ff68fc1285fa3a233
CoinMiner
73387abd4f9966ec875dd96feb2f8ea23743564ec817c11e4d311588a8a424b1
CoinMiner
88aa882bcd7dfde1aa1b8e1ceb9fb23c596e5244608cad71429d9bf1de8d7c24
CoinMiner
9db1d611bba928f40d86374641783083cda4f613236f3ec21ce62bcdeee9a6e6
CoinMiner
error
CoinMiner
+ 336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/241007-18hx7azcrh/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87a8d1dd-5e38-4c11-98e4-2023884bea62
Unpacked files
SH256 hash:
508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
MD5 hash:
3fb477ee2214bf2d4ed7df2d23f159e8
SHA1 hash:
836c3f3b4b8f02e495703767b6bf923c453dba36
Link:
https://www.unpac.me/results/ccedd712-31b2-4f93-807f-418969a9c877/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/508821549db3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3224102/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoA

Comments


Avatar
zbet commented on 2024-10-07 22:18:42 UTC

url : hxxp://51.79.158.135/bootstrap/testrun.exe