MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe
SHA3-384 hash: a27b205338d71e587292b3862e087d09e1f8cd3115220bc1a0dd4206cb6fce791d9951d355ba384405fbeadacb5539b5
SHA1 hash: 2f0966c192dccbfdc1b056927cc3fb6009c39900
MD5 hash: d53dba7e4b2bd484b08e7a51eda6f906
humanhash: lemon-failed-golf-nevada
File name:d53dba7e4b2bd484b08e7a51eda6f906
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'837'568 bytes
First seen:2022-01-23 20:05:31 UTC
Last seen:2022-01-23 21:45:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad03ae817c87fd74bd29f1c17e69dc64 (4 x CoinMiner)
ssdeep 196608:xXHA9xf+H6LGdAK1FjvBVCuU5p0SmlHCs17kW7+alF:dHAnf+HgmAKvviQtHCsqwb
TLSH T1A5A623ED2294776CC41AC874D533FD15B6B6660E0FA2A2BA35D7B6D037DE824C942F02
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d53dba7e4b2bd484b08e7a51eda6f906
Verdict:
No threats detected
Analysis date:
2022-01-23 20:19:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d0cd62f-839e-41ae-9f8d-91626ff2bad7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221769/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38665947.21772.17675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Running batch commands
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Creating a file
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the system32 subdirectories
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61edb5320f8c757253def3f2/reports/84c61624-2b89-458e-963d-211c9b9d484a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f36ee4c8-860d-4e87-bd0f-e8a1cb342d32
Result
Threat name:
SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925933
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs many domain queries via nslookup
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558410 Sample: C8y1dfEplB Startdate: 23/01/2022 Architecture: WINDOWS Score: 100 116 pool.hashvault.pro 2->116 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 11 other signatures 2->140 14 C8y1dfEplB.exe 2->14         started        17 services.exe 2->17         started        19 powershell.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 dnsIp5 182 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->182 184 Uses nslookup.exe to query domains 14->184 186 Writes to foreign memory regions 14->186 204 6 other signatures 14->204 24 nslookup.exe 7 14->24         started        188 Antivirus detection for dropped file 17->188 190 Multi AV Scanner detection for dropped file 17->190 192 Machine Learning detection for dropped file 17->192 28 nslookup.exe 17->28         started        194 Creates files in the system32 config directory 19->194 196 Modifies the context of a thread in another process (thread injection) 19->196 198 Found suspicious powershell code related to unpacking or dynamic code loading 19->198 200 Injects a PE file into a foreign processes 19->200 30 dllhost.exe 19->30         started        32 conhost.exe 19->32         started        118 127.0.0.1 unknown unknown 21->118 120 192.168.2.1 unknown unknown 21->120 202 Changes security center settings (notifications, updates, antivirus, firewall) 21->202 34 MpCmdRun.exe 21->34         started        36 conhost.exe 21->36         started        signatures6 process7 file8 108 C:\Users\user\AppData\...\services.exe, PE32+ 24->108 dropped 110 C:\Users\...\services.exe:Zone.Identifier, ASCII 24->110 dropped 148 Uses nslookup.exe to query domains 24->148 150 Modifies the context of a thread in another process (thread injection) 24->150 152 Performs many domain queries via nslookup 24->152 160 2 other signatures 24->160 38 cmd.exe 24->38         started        40 cmd.exe 1 24->40         started        43 cmd.exe 24->43         started        53 2 other processes 24->53 45 cmd.exe 28->45         started        47 conhost.exe 28->47         started        154 Found stalling execution ending in API Sleep call 30->154 156 Writes to foreign memory regions 30->156 158 Creates a thread in another existing process (thread injection) 30->158 49 winlogon.exe 30->49 injected 55 5 other processes 30->55 51 conhost.exe 34->51         started        signatures9 process10 signatures11 57 services.exe 38->57         started        60 conhost.exe 38->60         started        144 Uses schtasks.exe or at.exe to add and modify task schedules 40->144 62 powershell.exe 22 40->62         started        64 powershell.exe 23 40->64         started        66 conhost.exe 40->66         started        74 2 other processes 43->74 146 Encrypted powershell cmdline option found 45->146 68 powershell.exe 45->68         started        70 powershell.exe 45->70         started        72 conhost.exe 45->72         started        process12 signatures13 162 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 57->162 164 Uses nslookup.exe to query domains 57->164 166 Writes to foreign memory regions 57->166 170 4 other signatures 57->170 76 nslookup.exe 57->76         started        168 Found suspicious powershell code related to unpacking or dynamic code loading 68->168 process14 file15 112 C:\Users\user\AppData\...\sihost64.exe, PE32+ 76->112 dropped 114 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 76->114 dropped 174 Uses nslookup.exe to query domains 76->174 176 Sample is not signed and drops a device driver 76->176 178 Performs many domain queries via nslookup 76->178 180 Injects a PE file into a foreign processes 76->180 80 sihost64.exe 76->80         started        83 cmd.exe 76->83         started        85 conhost.exe 76->85         started        87 nslookup.exe 76->87         started        signatures16 process17 signatures18 122 Antivirus detection for dropped file 80->122 124 Uses nslookup.exe to query domains 80->124 126 Writes to foreign memory regions 80->126 130 3 other signatures 80->130 89 nslookup.exe 80->89         started        128 Encrypted powershell cmdline option found 83->128 91 powershell.exe 83->91         started        94 powershell.exe 83->94         started        96 conhost.exe 83->96         started        process19 signatures20 98 cmd.exe 89->98         started        101 conhost.exe 89->101         started        172 Found suspicious powershell code related to unpacking or dynamic code loading 91->172 process21 signatures22 132 Encrypted powershell cmdline option found 98->132 103 powershell.exe 98->103         started        106 conhost.exe 98->106         started        process23 signatures24 142 Found suspicious powershell code related to unpacking or dynamic code loading 103->142
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-01-22 06:12:33 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 43 (48.84%)
Threat level:
  5/5
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence vmprotect
Link:
https://tria.ge/reports/220123-yve82agdf6/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Sets service image path in registry
VMProtect packed file
XMRig Miner Payload
Modifies security service
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe
MD5 hash:
d53dba7e4b2bd484b08e7a51eda6f906
SHA1 hash:
2f0966c192dccbfdc1b056927cc3fb6009c39900
Link:
https://www.unpac.me/results/27f2d822-60e3-43d4-9a4a-0ccdcffef237/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 5932c6920172556e09734ceb5ca6395fb6664b1492f0cf77a3b009bf0d57dbbe

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2000903/
Cape
Cape
https://www.capesandbox.com/analysis/221769/

Comments


Avatar
zbet commented on 2022-01-23 20:05:34 UTC

url : hxxp://sepoyi70.beget.tech/2.vmp.exe