MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA3-384 hash: 53bd1d52ed3fac572219c9af9cd9aa05f0dcf11880ac75602cfed1d31fad0ef654c207b9f9b408e994aa269a85224e8e
SHA1 hash: ae470145c4f5780315b52aa1c57ae0c04a2d18ca
MD5 hash: 8268ff95b3aaea6d6de8f02a73c323d2
humanhash: oklahoma-timing-march-king
File name:minfx.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'451'328 bytes
First seen:2022-05-13 17:53:36 UTC
Last seen:2022-05-13 18:40:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dbd2319b33ed25eb7ad7d0162c2bb3a (18 x CoinMiner, 1 x CoinMiner.XMRig, 1 x XFilesStealer)
ssdeep 98304:37aw8/R/HwspahZrq1576iwIrnMLAyPIIxJBvckksBtA8ndDsytV:37L8SrhZy7ZwITMLA+vck5DTdIgV
Threatray 192 similar samples on MalwareBazaar
TLSH T19226333DA1D98589FE1702BD6D6448E17CA5F84CE608811AFEAEF6583670331BDF8D80
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter nyyuzyou
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
runner.exe
Verdict:
Malicious activity
Analysis date:
2022-05-03 15:13:19 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/c25766ed-1848-4ceb-a96e-b77f6e12bd6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270484/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17572/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/627e9b408d13de6dc3b225d2/reports/a8e3e710-e003-4fee-afe0-86d0fb58d6ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75472fe2-1478-4160-8660-e24027b19945
Result
Threat name:
BitCoin Miner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993794
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Snort IDS alert for network traffic
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626286 Sample: minfx.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 5 other signatures 2->69 9 minfx.exe 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 process3 signatures4 89 Writes to foreign memory regions 9->89 91 Allocates memory in foreign processes 9->91 93 Creates a thread in another existing process (thread injection) 9->93 18 conhost.exe 7 9->18         started        95 Changes security center settings (notifications, updates, antivirus, firewall) 12->95 process5 file6 55 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 18->55 dropped 57 C:\Users\user\...\updater.exe:Zone.Identifier, ASCII 18->57 dropped 71 Very long command line found 18->71 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        27 cmd.exe 1 18->27         started        29 2 other processes 18->29 signatures7 process8 signatures9 31 updater.exe 22->31         started        34 conhost.exe 22->34         started        81 Encrypted powershell cmdline option found 24->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 24->83 85 Uses powercfg.exe to modify the power settings 24->85 36 powershell.exe 23 24->36         started        38 conhost.exe 24->38         started        87 Modifies power options to not sleep / hibernate 27->87 40 conhost.exe 27->40         started        46 4 other processes 27->46 42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        48 19 other processes 29->48 process10 signatures11 97 Antivirus detection for dropped file 31->97 99 Multi AV Scanner detection for dropped file 31->99 101 Writes to foreign memory regions 31->101 103 2 other signatures 31->103 50 conhost.exe 31->50         started        process12 dnsIp13 61 192.168.2.1 unknown unknown 50->61 59 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 50->59 dropped 73 Modifies the context of a thread in another process (thread injection) 50->73 75 Sample uses process hollowing technique 50->75 77 Sample is not signed and drops a device driver 50->77 79 Injects a PE file into a foreign processes 50->79 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-04-30 09:55:35 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08ff371dff7eb8283c675a14af2477eede676756cdd4d2252ee7239140445ec9
CoinMiner
0c20d0148493e6494e468c0888664a6858ed5120a13d4e938f5cf6bc9d009f57
CoinMiner
219f75d798f48a66a7643cacca827cd6d9fbf72af8dfaa05b88cb0538a7864f7
CoinMiner
28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
CoinMiner
2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e
CoinMiner
7ee182a4e061b93eaa096b87b0914d115f5c49d2812a6c81c62a836892adc359
CoinMiner
8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f
CoinMiner
c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
CoinMiner
ee1524e4980cac431ae0f92888ee0cc8a1fa9e7981df0be6abd7efa98adf9a45
CoinMiner
+ 182 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion exploit miner
Link:
https://tria.ge/reports/220513-wgvqfsacf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Possible privilege escalation attempt
Stops running service(s)
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
MD5 hash:
8268ff95b3aaea6d6de8f02a73c323d2
SHA1 hash:
ae470145c4f5780315b52aa1c57ae0c04a2d18ca
Link:
https://www.unpac.me/results/c7a4d4fc-dedc-48d0-927c-1b50748a576d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://nominally.ru/library/minfx.exe
Cape
Cape
https://www.capesandbox.com/analysis/270484/

Comments