MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93
SHA3-384 hash:	2108012176bd7b5a8980873ecc941d52e878b6df327a2deaf3247b4c80da2ffaed6599181935f7c6becf210bbdbcd522
SHA1 hash:	6dc769fb49e436a92261cb39d6e61903229359be
MD5 hash:	1ba35feff3ac64ae8d51d0fd1bf20dc2
humanhash:	beryllium-illinois-one-fifteen
File name:	cm4864.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	1'007'371 bytes
First seen:	2024-01-16 06:20:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	71f37f91c14c4729e462a32b6b2ae9d4 (27 x CoinMiner, 12 x CobaltStrike)
ssdeep	24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKenszNs0sKYJU0N/dQ:GezaTF8FcNkNdfE0pZ9oztFwIRTsH8
TLSH	T17C25AE6DB2B550E4D5EBC078D50A8A07F7F178A90360D68B53D117AE2F132C2E929F36
TrID	61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 15.5% (.EXE) Win64 Executable (generic) (10523/12/4) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4505/5/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	adm1n_usa32
Tags:	64 CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

349

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471058/

Detection(s):

Win.Malware.Mansabo-7102049-0

Win.Coinminer.Generic-7151250-0

Win.Coinminer.Generic-7151253-0

Win.Coinminer.Generic-7151447-0

Win.Coinminer.Generic-7155777-0

Win.Coinminer.Generic-7158858-0

Win.Trojan.Coinminer-9866492-0

Win.Trojan.Coinminer-9866537-0

Win.Trojan.Coinminer-9866538-0

Win.Trojan.Coinminer-9866539-0

Win.Trojan.Generic-9867234-0

Win.Trojan.Generic-9867393-0

Win.Trojan.Tedy-9956629-0

Multios.Coinminer.Miner-6781728-2

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

coinminer packed

Link:

https://www.filescan.io/uploads/65a6205099da41ccd7d4f95e/reports/eb692abc-e000-48a6-8a12-2a75e94d9bcb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d6dbde6-aafb-4bf2-85fc-47beec341613

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93/

Threat name:

Win64.Trojan.MinerXMRig

Status:

Malicious

First seen:

2024-01-13 00:12:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

35 of 38 (92.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lmmrosv3nvbz6y6nwgixsc5ngo6dnkvwh3kglpi7vbgk4qsmrojq._file

Verdict:

malicious

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/240116-g4bhrsedcm/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93

MD5 hash:

1ba35feff3ac64ae8d51d0fd1bf20dc2

SHA1 hash:

6dc769fb49e436a92261cb39d6e61903229359be

Detections:

CoinMiner_Strings

Link:

https://www.unpac.me/results/e1781431-6974-43d0-965f-8a6b508e10c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5b19174abb6d439f63cdb191790bad33bc36aab63ed465bd1fa84cae424c8b93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CoinMiner_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects mining pool protocol string in Executable
Reference:	https://minergate.com/faq/what-pool-address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MacOS_Cryptominer_Generic_333129b7 Create hunting rule
Author:	Elastic Security

Rule name:	Warp Create hunting rule
Author:	Seth Hardy
Description:	Warp

Rule name:	WarpStrings Create hunting rule
Author:	Seth Hardy
Description:	Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/471058/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample