MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093
SHA3-384 hash: a10dbd8b8bc2096bc773450a17760b96d8411a551dfabcdc9a1796c4582351993112774a67c04278c6f036adb79a0f34
SHA1 hash: fb704aedadf48bf7c8a96049fae6eca6148a9037
MD5 hash: cb3a39808a7b387eddd8b69b785ea21a
humanhash: kansas-ack-cat-three
File name:ChromeSetup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'180'840 bytes
First seen:2023-02-24 14:03:24 UTC
Last seen:2023-02-24 15:29:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c24ea937b2b0d62e829e8a8faeff5a8d (26 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 24576:jtuVDX3whrVbrrmtIGfMXNGnXgJLnao1g7pZ95G4aJmyU4Jr4b8cNLilfpJaySuD:jQzAX/vGLUL9grGJZU4t4b87S8KFpc5
Threatray 57 similar samples on MalwareBazaar
TLSH T14EA52318AA55AD7CC951D77AC3B33EB40EA020AEF0FA963A532CDB367718D10156F8C5
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter Chainskilabs
Tags:CoinMiner exe signed

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ChromeSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-02-24 14:12:19 UTC
Tags:
miner
Link:
https://app.any.run/tasks/35585a5d-8282-4038-ace5-3642cc1e6990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369489/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.4529.13431.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Changing the hosts file
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
n/a  -.1/10
Confidence:
80%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/63f8c3d4663463c1cb678670/reports/4aa0be2b-2863-43f1-a311-cabcd7d00f2c/overview
Verdict:
Malicious
Labled as:
Win64/Kryptik.DQA trojan
Link:
https://www.hybrid-analysis.com/sample/5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed826889-eb8a-4ffb-9d5d-20f3694a4599
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181917
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates files in the system32 config directory
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814747 Sample: ChromeSetup.exe Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 6 other signatures 2->56 6 updater.exe 3 2->6         started        10 ChromeSetup.exe 1 2->10         started        12 cmd.exe 1 2->12         started        14 11 other processes 2->14 process3 file4 36 C:\Windows\Temp\zycqtizp.tmp, PE32+ 6->36 dropped 38 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 6->38 dropped 58 Writes to foreign memory regions 6->58 60 Modifies the context of a thread in another process (thread injection) 6->60 62 Adds a directory exclusion to Windows Defender 6->62 76 2 other signatures 6->76 16 conhost.exe 1 6->16         started        19 conhost.exe 6->19         started        40 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 10->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 10->42 dropped 64 Self deletion via cmd or bat file 10->64 66 Modifies the hosts file 10->66 68 Uses powercfg.exe to modify the power settings 12->68 70 Modifies power options to not sleep / hibernate 12->70 22 conhost.exe 12->22         started        24 powercfg.exe 1 12->24         started        32 3 other processes 12->32 72 Creates files in the system32 config directory 14->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 14->74 26 WMIC.exe 1 14->26         started        28 conhost.exe 14->28         started        30 conhost.exe 14->30         started        34 15 other processes 14->34 signatures5 process6 dnsIp7 46 Adds a directory exclusion to Windows Defender 16->46 44 xmr.2miners.com 162.19.139.184, 2222, 49707 CENTURYLINK-US-LEGACY-QWESTUS United States 19->44 signatures8 48 Detected Stratum mining protocol 44->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 14:04:09 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ln5q44puzb5hme5qzzug5nvnode7yszoj4olnfvd4vkbvdljucjq._file
Verdict:
unknown
Similar samples:
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b
CoinMiner
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
CoinMiner
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab
CoinMiner
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5
CoinMiner
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
CoinMiner
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
CoinMiner
cb8cd78c09c1a9dd7b2cf6a4288c984b4b5619ab8301d1a963e089024bb314d0
CoinMiner
dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
CoinMiner
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
CoinMiner
ffa4485b730b662d6c9e65a4e6b8687c3037838f582839821eefae481c327baf
CoinMiner
+ 47 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230224-rc9llade5z/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093
MD5 hash:
cb3a39808a7b387eddd8b69b785ea21a
SHA1 hash:
fb704aedadf48bf7c8a96049fae6eca6148a9037
Link:
https://www.unpac.me/results/c2224068-df5b-4ad9-bb16-077639213c47/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b7b0e71f4c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369489/

Comments