MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
SHA3-384 hash:	1b238709e5db76cd73dbbfaa5bf1d9c6e191c5774fb1cf93ab937e4d430795790fd03d3ab4940c0b7747ae1017a9edf6
SHA1 hash:	06c22e4dfe29a1aa17d5ea73c00d1d7282a69ca9
MD5 hash:	807c38eebe83417fb45156001f6ae448
humanhash:	ten-pizza-jig-salami
File name:	tmp.exe
Download:	download sample
Signature	CoinMiner Alert Create hunting rule
File size:	582'656 bytes
First seen:	2023-04-21 00:39:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:RIZ3nmCmLyHMU6jqQNE26QjftmxhsXEvXveKOob3fiRibcPJV9IeXt:Ra3TsycjtNb6QkfsXwXvjb3KRv55
Threatray	138 similar samples on MalwareBazaar
TLSH	T159C42321A1DDA7FCE00B17F704E29E167B1CA4273A2F0AA61BE581067F605F1137BAD5
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	Chainskilabs
Tags:	CoinMiner exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

326

Origin country :

US

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

tmp.exe

Verdict:

Malicious activity

Analysis date:

2023-04-21 00:41:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/87227bc2-cc47-4965-9b9e-4b1ad54c4d57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/383844/

ClamAV Detected

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.26395.24859.14176.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a window

Sending an HTTP GET request

Launching a process

Searching for synchronization primitives

Creating a service

Launching a service

Loading a system driver

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Unauthorized injection to a system process

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6441db652eb85408cdf6711e/reports/bf46194d-b402-4637-81fe-2b86bd40e968/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e559de20-af47-49b8-9a49-960ca80408dd

Joe Sandbox Xmrig

Result

Threat name:

Xmrig

Alert

Create hunting rule

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1218356

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Xmrig

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-04-15 18:08:19 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

4

AV detection:

16 of 37 (43.24%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kcmhnp4y5zi7yxl2jvvpcjcce76m3fffk2u4qxozxx2tlwdbtm4q._file

Threatray malicious

Verdict:

malicious

Similar samples:

0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595

CoinMiner

1ff771de93f1b7a1824949621e743f0207b199b96151fb288474a7e8a2435e1d

CoinMiner

29b5468c799dbba5a156b67c04f3082f41c647c0cf9330e824f57d456d2e234e

CoinMiner

33582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd

CoinMiner

6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f

CoinMiner

963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5

CoinMiner

9fd84c71e3c3c85eb7ef456aa82d68223aa2ba2dfab716f1a34732227d009b6f

CoinMiner

bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189

CoinMiner

c7554a7609cf9428545460211a203ed575173798679198a502fe847bff3cc044

CoinMiner

e904870d3952bad327314df46c9fa32f9aac69ef0028123515da1cda4c1c6706

CoinMiner

+ 128 additional samples on MalwareBazaar

Hatching Triage xmrig

Result

Malware family:

xmrig

Alert

Create hunting rule

Score:

  10/10

Tags:

family:xmrig miner persistence

Link:

https://tria.ge/reports/230421-az8jdadb84/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

XMRig Miner payload

xmrig

UnpacMe

Unpacked files

SH256 hash:

509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39

MD5 hash:

807c38eebe83417fb45156001f6ae448

SHA1 hash:

06c22e4dfe29a1aa17d5ea73c00d1d7282a69ca9

Link:

https://www.unpac.me/results/2dead751-d314-4449-86dc-cdc1d0030dd0/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe 509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/383844/