MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c
SHA3-384 hash: a3f08c621a5e9ec821b3bc56b3b703a69b0354791555e66a2a8ce3b94fc57af5aa7078bb71b0e81d240a7b407d2a1e25
SHA1 hash: 9119c8577ebad2999b72e53ff264dc93768191e3
MD5 hash: 581ec4867d744766424e4f8fa825b8cc
humanhash: colorado-oklahoma-single-king
File name:581ec4867d744766424e4f8fa825b8cc.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:194'560 bytes
First seen:2022-03-06 16:44:21 UTC
Last seen:2022-03-06 18:35:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:4G2nmDNs/kQ7DU8EWBz56wwie9YXdX7qBw11r7bWHfvGRHJjb/IPdl+zNT:4G2nwqHAWBz82dX7qBw11r7bWHfvGRH7
Threatray 319 similar samples on MalwareBazaar
TLSH T13214569D766072EFC857D472DEA82D68EA5174BB831B4203902715EDEE4D897CF180F2
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247682/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.20614.22834.7871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a file
Searching for the window
Searching for the Windows task manager window
Sending an HTTP GET request
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP POST request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b166cf4c-d62a-4f76-b0f3-6ae920ca213b
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951451
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Uses known network protocols on non-standard ports
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583928 Sample: j7IyndsN3j.exe Startdate: 06/03/2022 Architecture: WINDOWS Score: 100 91 Sigma detected: Xmrig 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 16 other signatures 2->97 8 j7IyndsN3j.exe 5 6 2->8         started        12 Windows Security.exe 2->12         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 75 C:\Users\user\...\Windows Security.exe, PE32 8->75 dropped 77 C:\...\Windows Security.exe:Zone.Identifier, ASCII 8->77 dropped 119 Detected unpacking (changes PE section rights) 8->119 121 Obfuscated command line found 8->121 123 Self deletion via cmd delete 8->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->125 19 Windows Security.exe 14 5 8->19         started        24 cmd.exe 1 8->24         started        89 192.168.2.1 unknown unknown 12->89 26 cmd.exe 12->26         started        28 c.exe 12->28         started        30 cmd.exe 12->30         started        32 cmd.exe 12->32         started        127 Changes security center settings (notifications, updates, antivirus, firewall) 15->127 34 MpCmdRun.exe 15->34         started        file5 signatures6 process7 dnsIp8 81 111.90.143.200, 27941, 49754 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 19->81 71 C:\Users\user\AppData\Roaming\...\c.exe, PE32+ 19->71 dropped 99 Obfuscated command line found 19->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->101 36 c.exe 19->36         started        40 cmd.exe 2 19->40         started        47 2 other processes 19->47 49 4 other processes 24->49 73 C:\Users\user\AppData\Local\...\tmp7130.vbs, ASCII 26->73 dropped 103 Command shell drops VBS files 26->103 51 2 other processes 26->51 83 pool.hashvault.pro 28->83 105 Query firmware table information (likely to detect VMs) 28->105 43 conhost.exe 28->43         started        53 2 other processes 30->53 55 2 other processes 32->55 45 conhost.exe 34->45         started        file9 signatures10 process11 dnsIp12 85 142.132.131.248 UNIVERSITYOFWINNIPEG-ASNCA Canada 36->85 87 pool.hashvault.pro 36->87 107 Antivirus detection for dropped file 36->107 109 Multi AV Scanner detection for dropped file 36->109 111 Query firmware table information (likely to detect VMs) 36->111 113 Machine Learning detection for dropped file 36->113 57 conhost.exe 36->57         started        79 C:\Users\user\AppData\Local\...\tmp19F8.vbs, ASCII 40->79 dropped 115 Command shell drops VBS files 40->115 59 cscript.exe 1 40->59         started        61 conhost.exe 40->61         started        117 Obfuscated command line found 47->117 63 conhost.exe 47->63         started        65 powershell.exe 47->65         started        67 conhost.exe 47->67         started        69 powershell.exe 47->69         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 22:12:58 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
31bf335883616edf928e0a4a6ba9a4efba77afe243ec81a42c65f25ada8c9784
CoinMiner
44598f05340aa61c367f4c1f43708fb90a34ad5e82807329655b797b17078dd8
CoinMiner
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
CoinMiner
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
CoinMiner
9d80ac1d36bafd7802a133c1f220b8ef880d806ff54692a36a6eae335be38f0e
CoinMiner
a19c6c6ababd9decea2b6b842586a9e17b55554924a0e9a29f8abb7bd7b4980e
CoinMiner
b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad
CoinMiner
ba4d16c9ab70e69152e0c693a6a3aa5c3dcd26129e5a13b9dcb6645ff9940283
CoinMiner
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
CoinMiner
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
CoinMiner
+ 309 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220306-t9e5cscfc6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
2c74a6161d3bd7fb41306f8121c435bc02b03504d38fad192acb3cd2f2febfa1
MD5 hash:
f1a11eb85d8dd2e0402c4f5e98c0c4c9
SHA1 hash:
95b013222ddd9b16991e600d5b0657376952c3f7
Link:
https://www.unpac.me/results/5e4896d1-8a41-41c2-8ab3-5f37fa320f70/
SH256 hash:
6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c
MD5 hash:
581ec4867d744766424e4f8fa825b8cc
SHA1 hash:
9119c8577ebad2999b72e53ff264dc93768191e3
Link:
https://www.unpac.me/results/5e4896d1-8a41-41c2-8ab3-5f37fa320f70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247682/

Comments