MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79
SHA3-384 hash: d68be4a32e33c518584bf63a12985ebb76886d5d09e5dd4dd8b9bbf08961cd20a1aad27e17203c84b6b04c813ea6a623
SHA1 hash: 62503558785dbeb2951063a8d54105aabd51fdc9
MD5 hash: debaf23a47befe830954d32487bc1335
humanhash: india-batman-king-spaghetti
File name:debaf23a47befe830954d32487bc1335
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'478'912 bytes
First seen:2024-03-01 15:44:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 203d63d5d9a088e2d84cef737227986b (55 x CoinMiner)
ssdeep 98304:/uaVSYakUA9slDl0X2VGmQiKownttYQOCre4B2ARAJa2p1y0P298tLoekzHZro:/uPFkUAmLQbownt2QO0GJbpg0tt/kbl
Threatray 151 similar samples on MalwareBazaar
TLSH T15846225E156D073DD9D1643E8C512DC272D1B4849ABB70B21FB1E0A620ED6F28DF2AF2
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79.exe
Verdict:
Malicious activity
Analysis date:
2024-03-01 15:46:34 UTC
Tags:
miner xmrig
Link:
https://app.any.run/tasks/35dc8e96-6899-463e-80da-27dae721b9f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Genkryptik-10016533-0
Create hunting rule

Win.Malware.Genkryptik-10016586-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/65e1f80153c8f1aac459ec93/reports/f0c135a7-82fd-46ce-b17a-ecb32455c208/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1401515
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1401515 Sample: KmnUuAaoo8.exe Startdate: 01/03/2024 Architecture: WINDOWS Score: 100 62 pastebin.com 2->62 64 time.windows.com 2->64 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected Xmrig cryptocurrency miner 2->74 78 7 other signatures 2->78 9 update.exe 1 2->9         started        13 KmnUuAaoo8.exe 1 3 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 76 Connects to a pastebin service (likely for C&C) 62->76 process4 file5 58 C:\Windows\Temp\vajzccgncvpx.sys, PE32+ 9->58 dropped 102 Multi AV Scanner detection for dropped file 9->102 104 Modifies the context of a thread in another process (thread injection) 9->104 106 Adds a directory exclusion to Windows Defender 9->106 108 Sample is not signed and drops a device driver 9->108 19 dialer.exe 9->19         started        22 dialer.exe 9->22         started        25 cmd.exe 9->25         started        33 7 other processes 9->33 60 C:\ProgramDatabehaviorgraphoogle\Chrome\update.exe, PE32+ 13->60 dropped 27 dialer.exe 1 13->27         started        29 cmd.exe 1 13->29         started        31 powershell.exe 21 13->31         started        35 9 other processes 13->35 110 Changes security center settings (notifications, updates, antivirus, firewall) 15->110 signatures6 process7 dnsIp8 80 Injects code into the Windows Explorer (explorer.exe) 19->80 82 Creates a thread in another existing process (thread injection) 19->82 84 Injects a PE file into a foreign processes 19->84 44 3 other processes 19->44 66 109.107.161.51, 3333, 49700, 49702 TELEPORT-TV-ASRU Russian Federation 22->66 68 pastebin.com 172.67.34.170, 443, 49701 CLOUDFLARENETUS United States 22->68 86 Query firmware table information (likely to detect VMs) 22->86 46 2 other processes 25->46 88 Contains functionality to inject code into remote processes 27->88 90 Writes to foreign memory regions 27->90 92 Allocates memory in foreign processes 27->92 94 Contains functionality to compare user and computer (likely to detect sandboxes) 27->94 37 lsass.exe 27->37 injected 40 dwm.exe 27->40 injected 48 3 other processes 27->48 50 2 other processes 29->50 42 conhost.exe 31->42         started        52 6 other processes 33->52 54 9 other processes 35->54 signatures9 96 Detected Stratum mining protocol 66->96 process10 signatures11 98 Installs new ROOT certificates 37->98 100 Writes to foreign memory regions 37->100 56 svchost.exe 37->56         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 00:24:40 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4zjiqtyyequbcjqspp7cc72446ph7rkrjeiwia3mlyrpby5vr4q._file
Verdict:
malicious
Similar samples:
04e3926ce6762b1dc0ce2ea8107a36e9bdda11673ae5b333bccb81a72690a3a1
CoinMiner
0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
CoinMiner
0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
CoinMiner
9d0a8586517f8404b043251a690d2f42460246afa04dfe0376438415ef431a11
CoinMiner
b8fb2da582b81416ff4bbbce86c1c74e651fa832bd455c0b94938075631bbc6a
CoinMiner
e380482fc3d8c4fe11073f9734238d60ab66385e3261231358f7d02082b235cd
CoinMiner
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/240301-s62nhshf32/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Creates new service(s)
Stops running service(s)
Modifies security service
Unpacked files
SH256 hash:
5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79
MD5 hash:
debaf23a47befe830954d32487bc1335
SHA1 hash:
62503558785dbeb2951063a8d54105aabd51fdc9
Link:
https://www.unpac.me/results/1e195e2c-a707-422b-a4c3-263f589bf31f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f32944278c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2773606/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-01 15:44:17 UTC

url : hxxp://109.107.161.51/helper.exe