MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
SHA3-384 hash: 298227135b15446dc93b0e1fed31a8fe01b8e52d271def15d535b47f99f307402747fe8d2fa118bf363025c5f70729dc
SHA1 hash: 9f9d47ec6dd80bfcb4c3e0a1530b89d2d587c230
MD5 hash: a9d4007c9419a6e8d55805b8f8f52de0
humanhash: august-artist-hot-nevada
File name:Photo.scr
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'271'268 bytes
First seen:2020-10-11 02:13:51 UTC
Last seen:2025-01-02 10:38:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91ae93ed3ff0d6f8a4f22d2edd30a58e (48 x CoinMiner)
ssdeep 98304:RLVSThOfTCiFBXmfFs+JMHpCVoR8oMEOJ6Ty3RvX+jb5jC3ajz4F4VRc:HBfTCiUswVSLOJgyBGv5jGQW4VR
Threatray 6 similar samples on MalwareBazaar
TLSH 3F563355F0405826F039107A34F988A2B07DFC724B7559CBB3A83E761E353E8267DA9E
Reporter TrappmanRhett
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
3
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Sending a UDP request
Creating a service
Deleting a recently created file
Launching a service
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Connection attempt
Enabling autorun for a service
Launching a tool to kill processes
Forced shutdown of a system process
Launching the process to change the firewall settings
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487588
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates files with lurking names (e.g. Crack.exe)
Drops PE files to the user root directory
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296236 Sample: Photo.scr Startdate: 11/10/2020 Architecture: WINDOWS Score: 100 108 xmr.crypto-pool.fr 2->108 110 router.utorrent.com 2->110 112 4 other IPs or domains 2->112 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Antivirus detection for dropped file 2->122 124 Antivirus / Scanner detection for submitted sample 2->124 126 6 other signatures 2->126 10 Photo.exe 35 2->10         started        14 HelpPane.exe 32 2->14         started        16 spoolsv.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 68 C:\Users\user\...\ftpcrack.exe.manifest, XML 10->68 dropped 70 C:\Users\user\AppData\Local\...\config.json, ASCII 10->70 dropped 72 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 10->72 dropped 80 24 other files (none is malicious) 10->80 dropped 128 Creates files with lurking names (e.g. Crack.exe) 10->128 20 Photo.exe 10->20         started        74 C:\Windows\Temp\_MEI46882\config.json, ASCII 14->74 dropped 76 C:\Windows\Temp\_MEI46882\win32service.pyd, PE32 14->76 dropped 78 C:\Windows\Temp\_MEI46882\win32evtlog.pyd, PE32 14->78 dropped 82 22 other files (none is malicious) 14->82 dropped 22 HelpPane.exe 2 14->22         started        130 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->130 132 Changes security center settings (notifications, updates, antivirus, firewall) 18->132 signatures6 process7 dnsIp8 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        30 cmd.exe 3 20->30         started        114 65.23.14.3 WINDSTREAMUS United States 22->114 116 209.98.25.140 VISI-ASUS United States 22->116 118 98 other IPs or domains 22->118 66 C:\Windows\Temp\config, ASCII 22->66 dropped 34 cmd.exe 22->34         started        36 cmd.exe 22->36         started        38 cmd.exe 22->38         started        40 2 other processes 22->40 file9 process10 file11 42 HelpPane.exe 35 26->42         started        46 conhost.exe 26->46         started        48 HelpPane.exe 35 28->48         started        50 conhost.exe 28->50         started        100 C:\Users\user\HelpPane.exe, PE32 30->100 dropped 102 C:\Users\user\HelpPane.exe:Zone.Identifier, ASCII 30->102 dropped 136 Drops PE files to the user root directory 30->136 52 conhost.exe 30->52         started        104 C:\Windows\Temp\config.json, ASCII 34->104 dropped 54 conhost.exe 34->54         started        58 2 other processes 36->58 106 C:\Windows\Temp\xmrig.exe, PE32 38->106 dropped 56 conhost.exe 38->56         started        60 2 other processes 40->60 signatures12 process13 file14 84 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 42->84 dropped 86 C:\Users\user\AppData\Local\Temp\...\back.jpg, PE32 42->86 dropped 88 C:\Users\user\...\ftpcrack.exe.manifest, XML 42->88 dropped 96 24 other files (1 malicious) 42->96 dropped 134 Creates files with lurking names (e.g. Crack.exe) 42->134 62 HelpPane.exe 42->62         started        90 C:\Users\user\...\ftpcrack.exe.manifest, XML 48->90 dropped 92 C:\Users\user\AppData\Local\...\config.json, ASCII 48->92 dropped 94 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 48->94 dropped 98 24 other files (none is malicious) 48->98 dropped 64 HelpPane.exe 1 48->64         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2019-06-25 17:15:48 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwp6e425iom5tdtonj4swh7le3lpfwnf254uj3fmws2ig7s6l7fa._file
Verdict:
malicious
Similar samples:
078f883c1bcf8d0f9d5eb75f2dcc849564bb7e3fee851df036acb2e6870e95c1
CoinMiner
0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc
CoinMiner
49ea2b64601f51c9464960630f27180d4a4ae27c1dfd1ab0fe91a315ac945fa8
CoinMiner
52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
CoinMiner
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
CoinMiner
ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence evasion
Link:
https://tria.ge/reports/201011-jhh8a6t2tn/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Unpacked files
SH256 hash:
5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
MD5 hash:
a9d4007c9419a6e8d55805b8f8f52de0
SHA1 hash:
9f9d47ec6dd80bfcb4c3e0a1530b89d2d587c230
Link:
https://www.unpac.me/results/b785c39c-524f-4b47-a9d2-e64fb169afaf/
SH256 hash:
e82510adc44c4ea1fb0f22b1c3550d0a0152061e7489e5fbcf51952a55c8a4ce
MD5 hash:
a42c81a1edeeeed6a24de8b8cbeaf8f4
SHA1 hash:
7e904cfe7765a947e93a72d05354abdefbcba84c
Link:
https://www.unpac.me/results/b785c39c-524f-4b47-a9d2-e64fb169afaf/
SH256 hash:
05508fcece26d5de9205fab70af8e81297b145e5d8a812f03df1136de49dcd8a
MD5 hash:
808c7ba93a495d70a840680e852a2db3
SHA1 hash:
ea6a20629abd748613e2cc8f9897b568ae696639
Link:
https://www.unpac.me/results/b785c39c-524f-4b47-a9d2-e64fb169afaf/
Parent samples :
ebcdf536447cba219a13756c00c97b4ed5fea47f2cbf2283ea86e80216d3822e
af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/69778/

Comments