MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e
SHA3-384 hash: 5fdad0e48179d81c007a617e7c050d3c457b7f48c39603fee829e6d330f0f05ade3686e048fe04429ce9573eaafea81c
SHA1 hash: d835072556f29dcbcc1990c9ede1afc457e038b1
MD5 hash: 7b42097470deb17da75f7c4c5bc2757a
humanhash: summer-white-winner-harry
File name:7b42097470deb17da75f7c4c5bc2757a
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:3'901'440 bytes
First seen:2022-11-01 06:49:52 UTC
Last seen:2022-11-01 09:12:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c24ea937b2b0d62e829e8a8faeff5a8d (26 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 98304:7wPrWMQpEGkvLZe2WWpefPb9B5HvPsLgIZUSSqCpp:YWPEGQZe2wJPP+gIZVC
TLSH T1110623593E074058C87ECABCBDE761BC59C3F330EAABB7660EF19794490566343092E6
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b42097470deb17da75f7c4c5bc2757a
Verdict:
No threats detected
Analysis date:
2022-11-01 06:51:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec47081b-804b-408b-8cef-e27d186c73e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326723/
Detection(s):
SecuriteInfo.com.Generic.Reputation.PUA.69.25139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing the hosts file
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47203/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6360c19c791bb7e48afdf680/reports/63c51cf5-adab-46a6-9a0a-71c56a4bd525/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2419696-931e-46be-85a7-98e971aed3ce
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102299
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735014 Sample: 5H6HLcP7Q9.exe Startdate: 01/11/2022 Architecture: WINDOWS Score: 100 47 wowouch.net 2->47 49 clientbased.xyz 2->49 51 pastebin.com 2->51 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 12 other signatures 2->65 7 SmartSecurity.exe 2->7         started        11 5H6HLcP7Q9.exe 4 2->11         started        13 cmd.exe 1 2->13         started        15 12 other processes 2->15 signatures3 process4 dnsIp5 37 C:\Windows\Temp\objtrcua.tmp, PE32+ 7->37 dropped 39 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->39 dropped 67 Very long command line found 7->67 69 Writes to foreign memory regions 7->69 71 Modifies the context of a thread in another process (thread injection) 7->71 85 2 other signatures 7->85 18 dialer.exe 7->18         started        21 dialer.exe 7->21         started        41 C:\Users\user\AppData\Local\...\objtrcua.tmp, PE32+ 11->41 dropped 43 C:\Program Files\...\SmartSecurity.exe, PE32+ 11->43 dropped 45 C:\Windows\System32\drivers\etc\hosts, ASCII 11->45 dropped 73 Modifies the hosts file 11->73 75 Found hidden mapped module (file has been removed from disk) 11->75 77 Adds a directory exclusion to Windows Defender 11->77 23 dialer.exe 2 11->23         started        79 Uses cmd line tools excessively to alter registry or file data 13->79 25 reg.exe 1 13->25         started        27 reg.exe 1 13->27         started        29 reg.exe 1 13->29         started        33 8 other processes 13->33 53 192.168.2.1 unknown unknown 15->53 81 Creates files in the system32 config directory 15->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 15->83 31 conhost.exe 15->31         started        35 23 other processes 15->35 file6 signatures7 process8 signatures9 55 Adds a directory exclusion to Windows Defender 18->55 57 Uses cmd line tools excessively to alter registry or file data 25->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-01 06:50:21 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwotb5fj4jkm2n2uyr6klgwe2tqpkd2nn7lfmttxpam5c4a35apa._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/221101-hlzcjshad9/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e
MD5 hash:
7b42097470deb17da75f7c4c5bc2757a
SHA1 hash:
d835072556f29dcbcc1990c9ede1afc457e038b1
Link:
https://www.unpac.me/results/ed299759-d6b5-427a-85ec-5cdf6850f078/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5d9d30f4a9e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/326723/
  
URLhaus
https://urlhaus.abuse.ch/url/2389967/
  
URLhaus
https://urlhaus.abuse.ch/url/2385810/
  
URLhaus
https://urlhaus.abuse.ch/url/2393364/

Comments


Avatar
zbet commented on 2022-11-01 06:49:58 UTC

url : hxxp://37.139.129.113/wow/1/2/3/4/5/6/7/SmartDefRun.exe